Dreampie Resty Framework HttpClient Path Traversal Vulnerability

A path traversal vulnerability exists in the Dreampie Resty Framework's HttpClient module, affecting all versions through 1.3.1.SNAPSHOT. The vulnerability arises because the HttpClient's file download function automatically extracts filenames from the Content-Disposition header of HTTP responses without proper sanitization. This flaw allows an attacker to manipulate the filename argument, injecting path traversal sequences to write files to arbitrary locations on the server's filesystem. The vulnerability can be exploited remotely, particularly in applications that download files from user-controlled sources or third-party APIs, and it is complicated to execute.

Impact

Exploitation of this vulnerability allows for arbitrary file writes, which can lead to remote code execution by deploying web shells or injecting executable scripts into directories included in the system's PATH. Additionally, it could be used to overwrite critical system files, such as those containing user credentials or application configurations, potentially causing application crashes or corrupting important data.

Reproduction

The vulnerability can be reproduced by using the HttpClient to download a file from a server that the attacker controls. The server can be configured to send a response with a manipulated Content-Disposition header that includes path traversal sequences. When the HttpClient processes this response, it will write the file to the location specified by the traversal payload, demonstrating the path traversal vulnerability.

Remediation

As of now, there is no official patch available for this vulnerability. However, a workaround is to use explicit file paths instead of relying on the automatic filename extraction when downloading files with the HttpClient.