Lychee Path Traversal Vulnerability in SecurePathController Allowing File Leakage

A path traversal vulnerability has been identified in Lychee versions 6.6.6 prior to 6.6.10. This issue allows attackers to leak local files, including environment variables, nginx logs, other users' uploaded images, and configuration secrets. The vulnerability arises from insufficient validation of file paths in SecurePathController.php, enabling low-privileged users to access sensitive information by exploiting the file path handling.

Impact

Exploitation of this vulnerability allows for unauthorized access to sensitive server files and other users' private uploads, posing a significant risk to user privacy and data security.

Reproduction

The vulnerability can be reproduced by sending a GET request to the image endpoint with a path that includes traversal sequences, such as '..%2fconf%2f.env' or '..%2fvar%2fwww%2fhtml%2fLychee%2f.env'. This will result in the leakage of the specified environment file. Alternatively, the nginx log history can be accessed, which contains records of other requests made to the website, potentially allowing the attacker to leak images uploaded by other users.

Remediation

Users can update to Lychee version 6.6.10 or later, where this vulnerability has been patched.