| शीर्षक | AstrBotDevs AstrBot 4.24.2 Path Traversal (CWE-22) |
|---|
| विवरण | # Technical Details
A Path Traversal vulnerability exists in the `post_file` method in `astrbot/dashboard/routes/chat.py` of AstrBot.
The application fails to sanitize the `file.filename` attribute when processing uploaded attachments in the authenticated dashboard API. The attacker-controlled filename is directly concatenated to the attachments directory path using `os.path.join()`. This allows an attacker to supply path traversal segments (e.g., `../`) in the filename to write files to arbitrary writable locations on the filesystem, circumventing the intended upload sandbox.
# Vulnerable Code
File: astrbot/dashboard/routes/chat.py
Method: post_file
Why: The code directly uses the attacker-provided `file.filename` inside `os.path.join(self.attachments_dir, filename)` without employing `secure_filename()` or validating that the resolved absolute path still resides within the bounds of `self.attachments_dir`.
# Reproduction
1. Log into the AstrBot dashboard using valid credentials.
2. Send a multipart `POST` request to the `/api/chat/post_file` endpoint.
3. Supply a crafted `filename` in the file payload containing path traversal characters (e.g., `../../../../../../tmp/malicious.txt`).
4. Verify that the file has been written to the targeted absolute path outside the intended attachments directory.
# Impact
- Arbitrary file write to the underlying server's filesystem.
- Overwriting application configuration or runtime data.
- Potential code execution or privilege escalation if sensitive files or execution paths are overwritten. |
|---|
| स्रोत | ⚠️ https://gist.github.com/YLChen-007/217a2e975faf5a5be6d76c63cb3f402e |
|---|
| उपयोगकर्ता | Eric-a (UID 96353) |
|---|
| सबमिशन | 07/05/2026 01:33 PM (1 महीना पहले) |
|---|
| संयम | 31/05/2026 09:14 AM (24 days later) |
|---|
| स्थिति | प्रतिलिपि |
|---|
| VulDB प्रविष्टि | 364381 [AstrBotDevs AstrBot तक 4.23.5 File Upload chat.py post_file filename निर्देशिका ट्रैवर्सल] |
|---|
| अंक | 0 |
|---|