GoDoxy Path Traversal Vulnerability in File Content API Endpoint

A path traversal vulnerability has been identified in GoDoxy, a reverse proxy and container orchestrator for self-hosters, in versions prior to 0.27.5. The issue resides in the file content API endpoint at '/api/v1/file/content', where the 'filename' query parameter is directly passed to 'path.Join(common.ConfigBasePath, filename)' without proper validation or sanitization. This allows authenticated attackers to use '../' sequences to read or write files outside the designated 'config/' directory. Sensitive files such as TLS private keys and OAuth refresh tokens, as well as any file accessible to the container's UID, can be compromised.

Impact

Exploitation of this vulnerability allows for unauthorized access to files outside the intended directory, including sensitive information such as TLS private keys and OAuth refresh tokens. Additionally, the vulnerability could be used to write files outside the 'config/' directory, potentially injecting malicious content into the application.

Reproduction

To reproduce this vulnerability, authenticate with the default credentials ('admin'/'password') and send a GET request to the '/api/v1/file/content' endpoint. Include a 'filename' parameter with a value that traverses the directory, such as '../certs/secret-agent-key.pem'. The response will include the contents of the requested file, demonstrating the successful exploitation of the path traversal vulnerability.

Remediation

Users can update to GoDoxy version 0.27.5 or later, where this vulnerability has been fixed.