GitHub Security Lab (GHSL) Vulnerability Report, ShokoServer: GHSL-2023-191
The GitHub Security Lab team has identified a potential security vulnerability in ShokoServer.
We are committed to working with you to help resolve this issue. In this report you will find everything you need to effectively coordinate a resolution of this issue with the GHSL team.
If at any point you have concerns or questions about this process, please do not hesitate to reach out to us at [email protected] (please include GHSL-2023-191 as a reference).
If you are NOT the correct point of contact for this report, please let us know!
Summary
An arbitrary file read exists in the /api/Image/WithPath endpoint that would allow unauthenticated attackers to read arbitrary files on Windows systems.
Product
ShokoServer
Tested Version
v4.2.2
Details
The /api/Image/WithPath endpoint is accessible without authentication and is supposed to return default server images. The endpoint accepts the parameter serverImagePath, which is not sanitized in any way before being passed to System.IO.File.OpenRead, which results in an arbitrary file read.
[HttpGet("WithPath/{serverImagePath}")]
public object GetImageUsingPath(string serverImagePath)
{
if (!System.IO.File.Exists(serverImagePath))
{
logger.Trace("Could not find AniDB_Cover image: {0}", serverImagePath);
return NotFound();
}
Response.ContentType = Mime.GetMimeMapping(serverImagePath);
return System.IO.File.OpenRead(serverImagePath);
}Impact
This issue may lead to Arbitrary File Read. The windows installer installs the ShokoServer as administrator, so any unauthenticated attacker may be able to access sensitive information and read files stored on the server.
Remediation
- Ensure that the user input
serverImagePath is within the expected path by first calling fullPath = System.IO.Path.GetFullPath(serverImagePath)
- Call
fullPath.StartsWith(basePath), where basePath represents the folder that the images should be stored in.
Resources
In order to exploit this vulnerability on Windows, run curl http:/shokoserever.domain/api/Image/withpath/C:\Windows\secret.txt, where shokoserever.domain is your ShokoServer instance. This will return the contents of C:\Windows\secret.txt. Browsers will auto convert \ to / so use a tool like curl or a proxy to ensure the path is correct.
This vulnerability was found with the help of CodeQl's Path Injection Query.
GitHub Security Advisories
We recommend you create a private GitHub Security Advisory for this finding. This also allows you to invite the GHSL team to collaborate and further discuss this finding in private before it is published.
Credit
This issue was discovered and reported by GHSL team member @Kwstubbs (Kevin Stubbings).
Contact
You can contact the GHSL team at [email protected], please include a reference to GHSL-2023-191 in any communication regarding this issue.
Disclosure Policy
This report is subject to a 90-day disclosure deadline, as described in more detail in our coordinated disclosure policy.
GitHub Security Lab (GHSL) Vulnerability Report, ShokoServer:
GHSL-2023-191The GitHub Security Lab team has identified a potential security vulnerability in ShokoServer.
We are committed to working with you to help resolve this issue. In this report you will find everything you need to effectively coordinate a resolution of this issue with the GHSL team.
If at any point you have concerns or questions about this process, please do not hesitate to reach out to us at
[email protected](please includeGHSL-2023-191as a reference).If you are NOT the correct point of contact for this report, please let us know!
Summary
An arbitrary file read exists in the
/api/Image/WithPathendpoint that would allow unauthenticated attackers to read arbitrary files on Windows systems.Product
ShokoServer
Tested Version
v4.2.2
Details
/api/Image/WithPath arbitrary file read (
GHSL-2023-191)The
/api/Image/WithPathendpoint is accessible without authentication and is supposed to return default server images. The endpoint accepts the parameterserverImagePath, which is not sanitized in any way before being passed toSystem.IO.File.OpenRead, which results in an arbitrary file read.Impact
This issue may lead to
Arbitrary File Read. The windows installer installs the ShokoServer as administrator, so any unauthenticated attacker may be able to access sensitive information and read files stored on the server.Remediation
serverImagePathis within the expected path by first callingfullPath = System.IO.Path.GetFullPath(serverImagePath)fullPath.StartsWith(basePath), wherebasePathrepresents the folder that the images should be stored in.Resources
In order to exploit this vulnerability on Windows, run
curl http:/shokoserever.domain/api/Image/withpath/C:\Windows\secret.txt, whereshokoserever.domainis your ShokoServer instance. This will return the contents ofC:\Windows\secret.txt. Browsers will auto convert \ to / so use a tool like curl or a proxy to ensure the path is correct.This vulnerability was found with the help of CodeQl's Path Injection Query.
GitHub Security Advisories
We recommend you create a private GitHub Security Advisory for this finding. This also allows you to invite the GHSL team to collaborate and further discuss this finding in private before it is published.
Credit
This issue was discovered and reported by GHSL team member @Kwstubbs (Kevin Stubbings).
Contact
You can contact the GHSL team at
[email protected], please include a reference toGHSL-2023-191in any communication regarding this issue.Disclosure Policy
This report is subject to a 90-day disclosure deadline, as described in more detail in our coordinated disclosure policy.