FilesystemStore is vulnerable to directory traversal attacks
neild opened this issue · 2 comments
Is there an existing issue for this?
- I have searched the existing issues
Current Behavior
I'm filing this a public issue, since it has already been disclosed elsewhere.
FilesystemStore uses an unsanitized Session.ID when constructing filenames. The documentation for Session states that ID "should not be used for user data", but I don't see anything in the documentation stating that IDs must not contain path traversal characters.
Path traversal in FilesystemStore is a component of CVE-2024-3400 in Palo Alto VPN (https://unit42.paloaltonetworks.com/cve-2024-3400/), an actively-exploited remote code execution attack. While this presumably stems from a misuse of the Session API, in which attacker-controlled data was used as a Session.ID, this demonstrates that lack of sanitization is quite hazardous.
The Go Vulnerability Database has assigned this the ID https://pkg.go.dev/vuln/GO-2024-2730.
Expected Behavior
No response
Steps To Reproduce
No response
Anything else?
No response