| タイトル | CoCoTeaNet CyreneAdmin ≤1.3.0 Directory Traversal |
|---|
| 説明 | **Title:** Arbitrary File Read Vulnerability in CyreneAdmin
**BUG_Author:** sageee
**Affected Version:** CyreneAdmin (Current GitHub Head)
**Vendor:** CoCoTeaNet GitHub Repository
**Software:** CyreneAdmin
**Vulnerability Url:**
● /api/system/user/getAvatar
**Description:**
1. **Path Traversal via Avatar Retrieval:**
● In the CyreneAdmin system, the endpoint `/api/system/user/getAvatar` is designed to retrieve user avatar images from the server.
● The application fails to properly sanitize the `avatar` parameter. It blindly appends the user-supplied filename to the configured avatar storage directory (e.g., `/home/sageee/avatar/`).
● This creates a Directory Traversal (Path Traversal) vulnerability, allowing attackers to access files outside the intended directory structure.
2. **Exploiting the Arbitrary File Read:**
● By manipulating the `avatar` parameter with "dot-dot-slash" sequences (`../`), an attacker can traverse up the directory tree to the system root or other sensitive directories.
● Specifically, since the base path is `/home/sageee/avatar/`, supplying `../test.txt` causes the server to resolve the path to `/home/sageee/test.txt`, bypassing the restriction to the `avatar` folder.
● Successful exploitation can lead to the disclosure of sensitive server files, configuration data, source code, or system credentials.
3. **Example Path Traversal Payload:**
● The injection occurs by providing a relative path that points to a file known to exist in a parent directory.
● Payload for accessing a sibling file (test.txt):
`../test.txt`
● Payload for accessing system files (theoretical):
`../../../../../../etc/passwd`
4. **Requesting the Endpoint:**
● Send a GET request to the target system with the malicious traversal payload in the query string.
**Vulnerability Request:**
```http
GET /api/system/user/getAvatar?avatar=../test.txt HTTP/1.1
Host: localhost:8080
Sec-Fetch-Site: cross-site
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:129.0) Gecko/20100101 Firefox/129.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate, br, zstd
Upgrade-Insecure-Requests: 1
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Priority: u=0, i
Cookie: Authorization=QZ7ip8jBfny4WL7lpE5OikgGNm33B1StLWaKxtMH9OcWlcu9v9P6n6wXxwF6LY5H
Sec-Fetch-Mode: navigate
```
5. **Verifying the Exploit:**
● Verification is confirmed by observing the server response content:
○ The server responds with **HTTP 200 OK**.
○ The **Content-Length** is 5.
○ The response body contains the string `test`, which matches the content of the `test.txt` file located in the parent directory (`/home/sageee/test.txt`), rather than an image file from the avatar directory.
● This proves that the application successfully read and returned the content of a file outside the intended storage path. |
|---|
| ユーザー | sageee (UID 82251) |
|---|
| 送信 | 2026年02月08日 14:09 (4 月 ago) |
|---|
| モデレーション | 2026年02月18日 15:20 (10 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 346492 [CoCoTeaNet CyreneAdmin 迄 1.3.0 Image getAvatar アバター ディレクトリトラバーサル] |
|---|
| ポイント | 17 |
|---|