Fireshare Path Traversal Vulnerability in Chunked Upload Endpoint Allowing Arbitrary File Write

A path traversal vulnerability has been identified in Fireshare version 1.5.1, specifically within the chunked upload endpoint. This vulnerability allows authenticated attackers to write arbitrary files outside the designated upload directory. The issue arises because the 'checkSum' multipart field is used to construct filesystem paths without proper sanitization or containment checks. As a result, attackers can exploit this flaw to write files to locations writable by the Fireshare process, such as the '/tmp' directory in containerized environments. This violation of data integrity could lead to further attacks, depending on the specific deployment.

Impact

Exploitation of this vulnerability allows for arbitrary file writes to locations chosen by the attacker, as long as those locations are writable by the Fireshare process.

Reproduction

To reproduce this vulnerability, log in to the Fireshare application and obtain a session cookie. Then, create a file that will be uploaded and use the '/api/uploadChunked' endpoint to upload it. Include a crafted 'checkSum' value that traverses the directory structure to write the file to an arbitrary location, such as the '/tmp' directory.

Remediation

Users can upgrade to Fireshare version 1.5.2, which addresses this vulnerability.