[BUG] Path Traversal Vulnerability with Static Web Server

[YamiOdymel]

Describe the bug

A logged in User can access /etc/passwd with Web Directory Manager in Static Web Server

To Reproduce

1. Go to the Static Web Server tab.
2. Click on index.html in the Web Directory Manager section.
3. The URL http://localhost:8000/api/fs/download?file=/index.html&preview=true appeared.
4. Replace it with http://localhost:8000/api/fs/download?file=/../../../../../../../../../../../etc/passwd&preview=true.

Expected behavior

It should return file not found because it is out of bounds.

Screenshots

Host Environment (please complete the following information):

• Arch: amd64
• OS: Ubuntu 22.04 (WSL v2)
• Zoraxy Version: v3.0.9

Additional context

Steps provided in Golang Path Traversal Guide: Examples and Prevention

• Reflect the relative paths to the actual system path with filepath.Clean().
• Evaluate the symlinks to ensure that files within bounds are not pointing outside of the bound using filepath.EvalSymlinks().
• Make sure the final path is within a trusted root using filepath.Dir().

[krosseyed]

This also affects ARM64 on v3.1.0. I am able to reproduce this on my setup.

[tobychui]

@krosseyed No worry, this API require authentication before access and this do not pose an immediate security risk to Zoraxy. This will be fixed in the next release.

[krosseyed]

Ah, I see access is denied to that URL after logging out. I do have to log in to get traversal to /etc/passwd, and I do not expose Zoraxy directly to the internet.

Thanks for being proactive on this @tobychui and I really enjoy using this software!

[klisza1993]

For the future maybe it would be better to not post it publicly? :D

[YamiOdymel]

For the future maybe it would be better to not post it publicly? :D

I did feel sorry and private messaged @ tobychui to talk about this 💀💀

I'll be more careful next time to avoid any concerns

[tobychui]

Patched