Openviglet Shio Path Traversal Vulnerability in Static File API

A critical path traversal vulnerability has been identified in the Openviglet Shio Content Management System, affecting all versions prior to 0.3.8. The issue arises in the 'shStaticFilePreUpload' method of the 'ShStaticFileAPI.java' file, where insufficient input validation of the 'fileName' parameter allows attackers to manipulate the argument and read arbitrary files from the server. This vulnerability can be exploited remotely, with a public proof-of-concept available.

Impact

Exploitation of this vulnerability allows for unauthorized reading of sensitive system files, such as configuration files and logs, which could lead to further exploitation or privilege escalation.

Reproduction

To reproduce this vulnerability, send a GET request to the '/api/v2/staticfile/pre-upload/{folderId}/{fileName}' endpoint. Replace '{folderId}' with a valid folder ID and '{fileName}' with a payload containing path traversal sequences, such as '../../../etc/passwd'. The application will attempt to check if the file exists, potentially disclosing file system information.

Remediation

It is recommended to implement strict input validation for the 'fileName' parameter to prevent path traversal attempts. This can be done by normalizing the path, whitelisting allowed characters, and ensuring the final path remains within the intended directory.