SiYuan Unauthenticated Arbitrary File Read Vulnerability via Directory Traversal

A directory traversal vulnerability allowing unauthenticated arbitrary file reads has been identified in SiYuan versions prior to 3.6.2. The issue arises from an exposed file-serving endpoint under '/appearance/*filepath', which lacks proper path sanitization. This oversight enables attackers to traverse directories and access files available to the server process. Notably, authentication checks are bypassed for this endpoint, facilitating exploitation without credentials.

Impact

Exploitation of this vulnerability allows for unauthorized access to arbitrary files readable by the SiYuan server process. This could include sensitive workspace configuration files, user notes, API tokens, and local system files, depending on their permissions.

Reproduction

The vulnerability can be reproduced by sending a request to the '/appearance/' endpoint with a path traversal sequence, such as '../', to access files outside the intended directory. This can be done using a web browser or a tool like cURL, ensuring to disable path normalization so that the traversal sequences are not removed.

Remediation

Users can upgrade to SiYuan version 3.6.2 or later, where this vulnerability has been patched.