🔒️ Requirements

Privilege: User

📝 Description

File path isn’t properly sanitized and allow ..\.

🕵️‍♂️ Proof of Concept

Listing other user folder content

First, create a user with Read privilege and with specific home folder like /test. Then, Connect to his account and access the home page http://localhost:8080/:

From this, change folder using path traversal via cd parameter:

As you can see, we are able to view folder content.

Write file

First, create a user with Read and Write privileges and with specific home folder like /test. Then, Connect to his account and access the home page http://localhost:8080/. From here create a new file named ..\test.txt and then go to the root folder with another account:

You will see that the file was created outside of the test user’s folder limitation.

PS: Note that the same could be done to all features in the file https://github.com/filegator/filegator/blob/642bb273334207359166d48b6c719a89e98a0676/backend/Controllers/FileController.php due to:

$this->separator