Coordinated Disclosure Timeline
- 2023-09-21: Advisory Sent To Maintainers
- 2023-09-28: Advisory published in the repository and patch merged. CVE assigned.
Summary
An arbitrary file read exists in the /api/Image/WithPath endpoint that would allow unauthenticated attackers to read arbitrary files on Windows systems.
Product
ShokoServer
Tested Version
Details
/api/Image/WithPath arbitrary file read (GHSL-2023-191)
The /api/Image/WithPath endpoint is accessible without authentication and is supposed to return default server images. The endpoint accepts the parameter serverImagePath, which is not sanitized in any way before being passed to System.IO.File.OpenRead, which results in an arbitrary file read.
[HttpGet("WithPath/{serverImagePath}")]
public object GetImageUsingPath(string serverImagePath)
{
if (!System.IO.File.Exists(serverImagePath))
{
logger.Trace("Could not find AniDB_Cover image: {0}", serverImagePath);
return NotFound();
}
Response.ContentType = Mime.GetMimeMapping(serverImagePath);
return System.IO.File.OpenRead(serverImagePath);
}
Impact
This issue may lead to Arbitrary File Read. The windows installer installs the ShokoServer as administrator, so any unauthenticated attacker may be able to access sensitive information and read files stored on the server.
Resources
In order to exploit this vulnerability on Windows, run curl http:/shokoserever.domain/api/Image/withpath/C:\Windows\secret.txt, where shokoserever.domain is your ShokoServer instance. This will return the contents of C:\Windows\secret.txt. Browsers will auto convert \ to / so use a tool like curl or a proxy to ensure the path is correct.
This vulnerability was found with the help of CodeQl’s Path Injection Query.
CVE
- CVE-2023-43662
Credit
This issue was discovered and reported by GHSL team member @Kwstubbs (Kevin Stubbings).
Contact
You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2023-191 in any communication regarding this issue.