Alist Path Traversal Vulnerability in File Operation Handlers

A path traversal vulnerability has been identified in Alist versions prior to 3.57.0. This vulnerability allows authenticated attackers to bypass directory-level authorization in multiple file operation handlers. By injecting traversal sequences into filename components, attackers can access and manipulate files across user boundaries within the same storage mount. The issue has been patched in version 3.57.0.

Impact

Exploitation of this vulnerability could lead to unauthorized access and manipulation of files belonging to other users within the same storage mount, including deletion, renaming, and copying of files. This represents a significant breach of privacy and data integrity, allowing for unauthorized data access, data destruction, and an overall violation of access control mechanisms.

Reproduction

To reproduce this vulnerability, an authenticated user with basic file operation permissions can send a request to one of the affected file operation handlers, such as 'FsRemove', 'FsCopy', or 'FsBatchRename'. The request must include a filename that has been crafted to include traversal sequences, such as '../', which will be processed by the server and can be used to access and manipulate files in other users' directories.

Remediation

Users can update to Alist version 3.57.0 or later, where this vulnerability has been patched.