jsnjfz WebStack-Guns Path Traversal Vulnerability in KaptchaController

A path traversal vulnerability has been identified in jsnjfz WebStack-Guns version 1.0. The issue arises in the KaptchaController's renderPicture function, where the application fails to properly sanitize the pictureId parameter before appending it to the file upload path. This lack of validation allows remote attackers to manipulate the parameter and access arbitrary files readable by the application user. The vulnerability is exacerbated by the fact that the /kaptcha/{pictureId} endpoint is publicly accessible without authentication.

Impact

Exploitation of this vulnerability allows for arbitrary file reading, with potential access to sensitive information such as database credentials or SSH keys, depending on the files available to the application user.

Reproduction

To reproduce this vulnerability, deploy WebStack-Guns 1.0 with the default configuration, ensuring that the 'guns.file-upload-path' is set to a writable directory like '/tmp/'. Without authenticating, send a GET request to the '/kaptcha/{pictureId}' endpoint, replacing '{pictureId}' with a traversal payload that includes directory traversal sequences (e.g., '../../../../etc/passwd'). The server will respond with the contents of the requested file, demonstrating the path traversal vulnerability.

Remediation

It is recommended to validate and sanitize the pictureId parameter to reject any values that could lead to directory traversal. Implementing a strict whitelist of allowed filenames and using normalized paths for file access can help mitigate this issue. Additionally, consider removing the public exposure of the /kaptcha endpoint or protecting it with authentication.