Arbitrary File Read via Upload Function
A vulnerability in the latest version of the software allows any user to read any file on the system, including sensitive files like `config.py`. The issue has not yet been patched.
Available publicly on Dec 31 2024
Threat Overview
The vulnerability allows an attacker to exploit the upload function to read arbitrary files on the server. By intercepting the WebSocket request during a file upload and modifying the file path, the attacker can trick the server into copying and providing access to any file on the system. This can lead to exposure of sensitive information such as configuration files, credentials, and user data, which can be leveraged for further attacks.
Attack Scenario
An attacker uploads a file using the upload function and intercepts the WebSocket request. They modify the file path in the request to point to a sensitive file on the server, such as config.py
. The server processes the request, copies the specified file to the private_upload
folder, and provides a path to access the copied file. The attacker then accesses the file via a GET request, successfully reading the contents of the sensitive file.
Who is affected
Any user of the software who has access to the upload function is affected by this vulnerability. This includes both authenticated and unauthenticated users, depending on the access controls in place.
Technical Report
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.