goshs Share Token Authentication Bypass Vulnerability Allowing Code Execution

An authentication bypass vulnerability has been identified in goshs, a SimpleHTTPServer written in Go. This issue affects versions 1.1.0 prior to 2.0.0-beta.2. When the Share Token is used, it is possible to bypass the restricted file download limitations and access all goshs functionalities, including executing code. The vulnerability arises because the BasicAuthMiddleware checks for a token before verifying credentials. If a valid token is present, the request is authorized without any authentication checks, allowing access to directory listings, file deletion, clipboard functions, WebSocket connections, and command execution via the CLI.

Impact

Exploitation of this vulnerability bypasses authentication, allowing unauthorized access to all goshs features, including directory listings, file deletion, clipboard functions, WebSocket connections, and command execution via the CLI.

Reproduction

To reproduce this vulnerability, first create a webroot directory and place a shareable file inside. Start goshs with authentication, TLS, and CLI mode enabled. After verifying that authentication is required, create a share link for the file, which will return a token. This token can then be used to bypass authentication for WebSocket connections, granting access to execute commands on the server.

Remediation

Users can upgrade to goshs version 2.0.0-beta.2 or later, where this vulnerability has been patched.