Gogs Path Traversal Vulnerability in Wiki Page Update Function Allowing Arbitrary File Deletion

A path traversal vulnerability has been identified in Gogs versions through 0.13.3, specifically in the updateWikiPage function. This vulnerability allows authenticated users with write access to a repository's wiki to delete arbitrary files on the server. Exploitation involves manipulating the old_title parameter in the wiki editing form, which is used to identify potential rename operations. The parameter is processed without proper sanitization, enabling the deletion of targeted files, particularly those with a .md extension.

Impact

Exploitation of this vulnerability could lead to unauthorized deletion of files, causing data loss and potential disruption of service by removing critical documentation or configuration files.

Reproduction

To reproduce this vulnerability, log into Gogs as a user with write access to a repository wiki. Intercept the POST request to '/repo/wiki/edit' and modify the old_title parameter to include a path traversal sequence, such as '../../../../tmp/target_file'. After submitting the request, the specified file will be deleted from the server.

Remediation

Users are advised to update to Gogs versions 0.13.4 or 0.14.0+dev, where this vulnerability has been patched.