Home-Gallery Path Traversal Vulnerability Allowing Arbitrary File Download
Vulnerability
A path traversal vulnerability has been identified in Home-Gallery versions prior to 1.21.0. This issue allows users to download sensitive system files by exploiting the application's failure to verify whether requested files are within the designated media source directory. The vulnerability arises when the 'downloadable' option is enabled in the gallery configuration file, and it can be exploited through a vulnerable API endpoint.
Impact
Exploitation of this vulnerability could lead to unauthorized access and download of sensitive system files, such as the passwd file, which contains user account information.
Reproduction
The vulnerability can be reproduced by setting up Home-Gallery 1.20.0 with the 'downloadable' option enabled in the gallery configuration file. After initializing the application with a specified media source, the vulnerable endpoint can be accessed to download arbitrary files outside the media directory, such as system files.
Remediation
Users can upgrade to Home-Gallery version 1.21.0, where this vulnerability has been patched.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.