Lostvip-com Ruoyi-Go Path Traversal Vulnerability in Download Function

A path traversal vulnerability has been identified in Lostvip-com Ruoyi-Go versions through 2.1. The issue arises in the DownloadTmp and DownloadUpload functions within the CommonController.go file. The vulnerability allows for arbitrary file downloads by manipulating the fileName parameter, enabling access to sensitive files on the server. This flaw can be exploited remotely, and a public exploit is available.

Impact

Exploitation of this vulnerability allows for arbitrary file reading on the server, potentially leading to the disclosure of sensitive information.

Reproduction

To reproduce this vulnerability, send a GET request to the '/common/download' or '/common/downloadUpload' endpoint with a crafted fileName parameter that includes path traversal sequences (such as '../') to access restricted files, like '/etc/passwd'.

Remediation

It is recommended to implement proper input validation and sanitization for fileName parameters to prevent path traversal. This can include normalizing file paths, whitelisting allowed file types, and ensuring requested files remain within designated directories.