Coordinated Disclosure Timeline

Summary

An arbitrary file read exists in the /api/Image/WithPath endpoint that would allow unauthenticated attackers to read arbitrary files on Windows systems.

Product

ShokoServer

Tested Version

v4.2.2

Details

/api/Image/WithPath arbitrary file read (GHSL-2023-191)

The /api/Image/WithPath endpoint is accessible without authentication and is supposed to return default server images. The endpoint accepts the parameter serverImagePath, which is not sanitized in any way before being passed to System.IO.File.OpenRead, which results in an arbitrary file read.

  [HttpGet("WithPath/{serverImagePath}")]
    public object GetImageUsingPath(string serverImagePath)
    {
        if (!System.IO.File.Exists(serverImagePath))
        {
            logger.Trace("Could not find AniDB_Cover image: {0}", serverImagePath);
            return NotFound();
        }

        Response.ContentType = Mime.GetMimeMapping(serverImagePath);
        return System.IO.File.OpenRead(serverImagePath);
    }

Impact

This issue may lead to Arbitrary File Read. The windows installer installs the ShokoServer as administrator, so any unauthenticated attacker may be able to access sensitive information and read files stored on the server.

Resources

In order to exploit this vulnerability on Windows, run curl http:/shokoserever.domain/api/Image/withpath/C:\Windows\secret.txt, where shokoserever.domain is your ShokoServer instance. This will return the contents of C:\Windows\secret.txt. Browsers will auto convert \ to / so use a tool like curl or a proxy to ensure the path is correct.

This vulnerability was found with the help of CodeQl’s Path Injection Query.

CVE

Credit

This issue was discovered and reported by GHSL team member @Kwstubbs (Kevin Stubbings).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2023-191 in any communication regarding this issue.