Directus Unauthenticated File Upload and Modification Vulnerability

A vulnerability in Directus versions 10.8.0 prior to 11.9.3 allows unauthenticated users to upload files with arbitrary content and extensions, or modify existing files, without updating the associated metadata. The uploaded files do not appear in the Directus UI. The issue arises from inadequate input sanitization in the file update mechanism, particularly in the 'filename_disk' parameter, which can be exploited to bypass restrictions and manipulate file storage.

Impact

Exploitation of this vulnerability could lead to unauthorized file modifications or uploads, with potential for arbitrary code execution if uploaded files are executed by the server.

Reproduction

To reproduce this vulnerability, an attacker must have network access to the Directus instance and knowledge of at least one file UUID. This can typically be obtained by interacting with an application that uses the Directus instance to manage files. Once a UUID is known, the vulnerability can be exploited by sending a request to the Directus files API, specifying the UUID in the 'pk' parameter and including the malicious payload in the request.

Remediation

Users should update Directus to version 11.9.3 or later.