OpenList Frontend Path Traversal Vulnerability Allowing Unauthorized File Access and Manipulation

A path traversal vulnerability has been identified in OpenList Frontend versions prior to 4.1.10. This vulnerability exists in multiple file operation handlers within 'server/handles/fsmanage.go'. The issue arises because filename components in 'req.Names' are directly concatenated with validated directories using 'stdpath.Join', allowing '..' sequences to bypass path restrictions. As a result, authenticated attackers can access files belonging to other users within the same storage mount and perform unauthorized actions such as deleting, renaming, or copying those files. The vulnerability allows for directory-level authorization bypass, enabling unauthorized file removal and copying across user boundaries within the same storage mount.

Impact

Exploitation of this vulnerability could lead to unauthorized access to, and manipulation of, files belonging to other users within the same storage mount, including the ability to read, copy, and delete such files.

Reproduction

To reproduce this vulnerability, an authenticated user with basic file operation permissions (remove/copy) can inject traversal sequences into filename components. This can be done by manipulating the 'req.Names' parameter to include '..' sequences, which will bypass directory restrictions and access files from other users within the same storage mount.

Remediation

Users can update to OpenList Frontend version 4.1.10 or later, where this vulnerability has been fixed.