SiYuan Personal Knowledge Management System Path Traversal Vulnerability Allowing Arbitrary File Write and Remote Code Execution

A vulnerability in SiYuan personal knowledge management system versions through 3.6.0 allows for arbitrary file writes and potential remote code execution. The issue arises in the import functions of the application's API, where uploaded archives are written to a path based on the multipart filename without proper sanitization. This flaw enables an admin to place files in arbitrary locations outside the temporary directory, including system paths that could lead to remote code execution. The vulnerability also poses a risk of data destruction by overwriting important workspace or application files. In Docker containers running as root, which is the default, this could result in full container compromise.

Impact

Exploitation of this vulnerability allows an admin to write files to any path accessible by the SiYuan process. This could lead to remote code execution by placing a payload in a location executed by the system, such as a cron job or bashrc file, data destruction by overwriting application files, or full compromise of a Docker container running as root.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/api/import/importSY' or '/api/import/importZipMd' endpoints with a crafted zip file. The zip file must include a file that exploits the path traversal vulnerability by using '../' sequences to escape the intended directory and write to a sensitive location. This can be done using a Python script that prepares the zip file and sends the request, including an admin authorization token.

Remediation

Users can upgrade to SiYuan version 3.6.1, which addresses this vulnerability by sanitizing the file paths before writing them to the file system.