ClipBucket V5 Avatar Upload Path Traversal Vulnerability Leading to Arbitrary File Deletion

A path traversal vulnerability has been identified in ClipBucket V5 during the user avatar upload process. The application allows users to upload avatars either as files or via URLs, with the latter option enabled by default. When an avatar is deleted, ClipBucket checks for the corresponding URL in the avatars subdirectory. However, the deletion process does not validate the URL for path traversal sequences, allowing crafted URLs to manipulate the file path and delete files outside the intended directory. This vulnerability affects ClipBucket versions through 5.5.1 - 236 and has been patched in version 5.5.1 - 237.

Impact

Exploitation of this vulnerability allows for arbitrary file deletion. Files deleted in this manner can include critical application PHP files and configuration files, potentially leading to a complete takeover of the ClipBucket application.

Reproduction

To reproduce this vulnerability, upload a file to a writable location, such as the /tmp directory, using a path traversal payload via the avatar URL field. After the upload, navigate to the avatar management page and initiate the deletion process. The application will remove the file referenced by the URL, including any traversal payloads, effectively deleting the uploaded file from the server.

Remediation

To address this vulnerability, ClipBucket users should update to version 5.5.1 - 237 or later. Additionally, the application can be configured to disable URL-based avatar uploads, further mitigating the risk.