Swing Music Directory Traversal Vulnerability in Dir Browser Endpoint

A directory traversal vulnerability has been identified in Swing Music versions prior to 2.1.4. The issue resides in the 'list_folders()' function within the '/folder/dir-browser' endpoint, where it lacks proper path validation. This flaw allows any authenticated user, including non-admins, to access arbitrary directories on the server filesystem. The vulnerability arises because the endpoint does not enforce authorization and improperly handles path inputs, enabling traversal attacks.

Impact

Exploitation of this vulnerability could lead to unauthorized access to the server's filesystem, allowing users to browse sensitive directories and files. This could include configuration files, log files, and other critical system information. Such access might also pave the way for further attacks, such as local file inclusion or remote code execution.

Reproduction

To reproduce this vulnerability, create a non-admin user and authenticate with that account. Then, send a POST request to the '/folder/dir-browser' endpoint, including a folder path that traverses directories, such as '../proc/self/'. The response will reveal that the traversal was successful by listing directories from the '/proc/self' path, demonstrating the exploitation of the directory traversal vulnerability.

Remediation

Users are advised to update to Swing Music version 2.1.4 or later, where this vulnerability has been fixed.