Airsonic Advanced Unrestricted File Upload Vulnerability in Playlist Upload Handler

A vulnerability allowing unrestricted file uploads has been identified in Airsonic Advanced versions through 10.6.0. This issue arises in the Playlist Upload Handler, where the server fails to properly validate the upload destination, allowing attackers to manipulate the 'Upload to' field. Exploitation of this vulnerability is possible remotely and has been made public.

Impact

Exploitation of this vulnerability allows authenticated users to upload malicious files that can be executed on the server, leading to remote code execution. This could result in a full compromise of the application and potentially the host system.

Reproduction

To reproduce this vulnerability, authenticate as a user and navigate to the 'Upload playlist' feature. Set the 'Upload to' field to a directory traversal value that points to Tomcat's 'webapps' directory. Upload a '.war' file containing a harmless payload, such as a JSP that prints a timestamp. After the file is uploaded, access the deployed context path to confirm execution of the uploaded code.

Remediation

To address this vulnerability, server-side validation should be implemented to block traversal patterns and reject paths containing '..', mixed encodings, symlinks, or absolute paths. An allow-list of upload destinations should be enforced, replacing free-text directories with server-defined options. Additionally, file types and MIME types for playlist uploads should be restricted to non-executable formats, and Tomcat's 'autoDeploy' and 'deployOnStartup' settings should be disabled if not strictly necessary.