FileRise Resumable Upload Path Traversal Vulnerability Allowing Arbitrary File Write and Directory Deletion

A path traversal vulnerability has been identified in FileRise, a self-hosted web file manager and WebDAV server, affecting versions 1.0.1 prior to 3.10.0. The issue arises in the Resumable.js chunked upload handler, where the 'resumableIdentifier' parameter is concatenated into filesystem paths without proper sanitization. This flaw allows authenticated users with upload permissions to write files to arbitrary directories, delete directories through a post-upload cleanup process, and probe the existence of files or directories on the server.

Impact

Exploitation of this vulnerability allows for arbitrary file writes to directories accessible by the web server, creation of arbitrary directory structures, and recursive deletion of directories and their contents. In the default Docker deployment, this could lead to the loss of important application data, including metadata and user files.

Reproduction

The vulnerability can be reproduced by sending a POST request to the upload endpoint with a crafted 'resumableIdentifier' that includes traversal sequences. This request should be made by an authenticated user with upload permissions. After the upload, the traversed directories can be checked for the uploaded files, and the same technique can be used to delete directories or probe for file existence.

Remediation

Users are advised to update to FileRise version 3.10.0 or later, where this vulnerability has been patched.