Letseeqiji Gorobbs Path Traversal Vulnerability in User Avatar Reset Function
Vulnerability
A critical path traversal vulnerability has been identified in Letseeqiji Gorobbs versions through 1.0.8. The issue arises in the API component, specifically within the ResetUserAvatar function of the user.go file. The vulnerability allows for arbitrary file writing by manipulating the filename argument, enabling attackers to traverse directories and write files outside the intended directory structure. This vulnerability can be exploited remotely.
Impact
Exploitation of this vulnerability allows for arbitrary file writing on the server, potentially leading to unauthorized file access or modification.
Reproduction
To reproduce this vulnerability, send a request to the ResetUserAvatar endpoint with a crafted filename parameter that includes directory traversal sequences, such as '../../..', and an id parameter that also includes traversal sequences. This will bypass directory restrictions and allow files to be written to arbitrary locations on the server.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.