Eosphoros AI DB-GPT Absolute Path Traversal Vulnerability Allowing Arbitrary File Upload

A critical vulnerability in Eosphoros AI DB-GPT version 0.6.0 allows for absolute path traversal through the file upload endpoint. This issue enables attackers to upload arbitrary files to any location on the server. The vulnerability arises because the 'file_key' and 'doc_file.filename' parameters can be manipulated by users, creating paths that escape the intended directory. This could result in overwriting crucial system files, such as SSH keys, for further exploitation.

Impact

Exploitation of this vulnerability leads to arbitrary file writing with user-specified data, potentially allowing overwriting of important system files like SSH keys for additional exploitation.

Reproduction

To reproduce this vulnerability, first install DB-GPT version 0.6.0. After setting up the application, create a file payload in the current working directory. Then, send a POST request to the file upload endpoint, including the payload file and specifying the target filename and an absolute path as the file key. The uploaded file will be written to the specified location on the server.