Actual Sync Server Path Traversal Vulnerability Allowing File Uploads

A path traversal vulnerability has been identified in Actual Sync Server versions prior to 26.3.0. This issue allows authenticated users to upload files through the POST /sync/upload-user-file endpoint. The vulnerability arises from improper validation of the user-controlled x-actual-file-id header, which can be manipulated to escape the intended directory and write files outside the designated userFiles directory. Additionally, the vulnerability could be exploited to write files to arbitrary locations on the server, such as the /tmp directory.

Impact

Exploitation of this vulnerability allows for authenticated path traversal, enabling users to upload files to locations outside the intended directory. This could potentially be used to overwrite existing files or execute uploaded files if the application processes them.

Reproduction

To reproduce this vulnerability, send a POST request to the /sync/upload-user-file endpoint with a valid x-actual-token header. Include an x-actual-file-id header with a payload that contains traversal segments to escape the userFiles directory. The server will create the file at the specified location, demonstrating the successful exploitation of the path traversal vulnerability.

Remediation

Users can update to Actual Sync Server version 26.3.0 or later, where this vulnerability has been patched.