Shazwazza Smidge Path Traversal Vulnerability in Bundle Handler Component

A path traversal vulnerability has been identified in Shazwazza Smidge versions prior to 4.5.1. The issue arises in the Bundle Handler component, where manipulation of the Version parameter can lead to unauthorized file access. This vulnerability can be exploited remotely, allowing for arbitrary file creation on the server.

Impact

Exploitation of this vulnerability could lead to arbitrary file creation, allowing an attacker to write files to the server's file system. This could be used to deplete disk space, potentially causing a denial-of-service condition by exhausting available storage resources.

Reproduction

To reproduce this vulnerability, create a JavaScript bundle using Smidge and upload it to a .NET web application. Then, send a request to the bundle while manipulating the Version parameter to traverse directories. This can be done by encoding the version string to include directory traversal sequences, such as 'c:\users\' followed by a username. The response will indicate whether the traversal was successful by referencing the 'CreateDirectory' or 'CreateFile' methods. Once the traversal is confirmed, the vulnerability can be exploited by writing files to the user's directory.

Remediation

Upgrade to Smidge version 4.6.0, which addresses the vulnerability. The upgrade is available on the Shazwazza Smidge GitHub releases page.