Labstack Echo Path Traversal Vulnerability in Static Middleware on Windows

A path traversal vulnerability has been identified in the Labstack Echo web framework, specifically in versions 5.0.0 through 5.0.2, when used on Windows with the default filesystem. The issue arises in the 'middleware.Static' component, where backslashes are not properly handled as path separators. This oversight allows unauthenticated remote users to read files outside the designated static root. The vulnerability occurs because 'path.Clean' does not interpret backslashes as separators, leaving '..' sequences intact. The cleaned path is then opened using 'os.Open', which on Windows, resolves these sequences, enabling traversal outside the static directory.

Impact

Exploitation of this vulnerability allows for arbitrary file reading outside the static root directory, potentially exposing sensitive files on the server.

Reproduction

To reproduce this vulnerability, use Labstack Echo version 5.0.0 through 5.0.2 on Windows. Implement the 'middleware.Static' with the default filesystem setting. After deploying the application, send a request to traverse directories using a URL-encoded path that includes '..\' sequences, targeting files such as 'C:\Windows\System32\drivers\etc\hosts'.

Remediation

Users can upgrade to Labstack Echo version 5.0.3 or later, where this vulnerability has been fixed.