FileCodeBox Path Traversal Vulnerability Allowing Arbitrary File Writes

A path traversal vulnerability exists in FileCodeBox versions through 2.2, allowing arbitrary file writes when the application is set to use local filesystem storage. The vulnerability arises because the SystemFileStorage.save_file method in core/storage.py constructs file paths using unvalidated filenames from user input. This flaw enables remote attackers to write files outside the intended directory by sending crafted POST requests with malicious traversal sequences to the /share/file/upload endpoint, which does not require authorization.

Impact

Exploitation of this vulnerability could lead to unauthorized modification of files on the server, potentially allowing for the overwriting of sensitive files such as SSH authorized keys.

Reproduction

To reproduce this vulnerability, send a multipart POST request to the /share/file/ upload endpoint. Include a filename that contains traversal sequences, such as '../../../../../etc/passwd', in the 'file' field. The request can be made using tools like curl or Postman. The 'expire_value' and 'expire_style' fields can also be included to specify the expiration time and style for the uploaded file.

Remediation

Users can update to FileCodeBox version 2.2 or later, where this vulnerability has been addressed.