Fireshare Unauthenticated Path Traversal Vulnerability Allowing Arbitrary File Write

A path traversal vulnerability has been identified in Fireshare versions prior to 1.5.3, specifically in the unauthenticated '/api/uploadChunked/public' endpoint. This vulnerability allows an unauthenticated attacker to exploit the 'checkSum' parameter to write arbitrary files with attacker-controlled content to any writable path on the server filesystem. The issue arises because the 'checkSum' parameter is used directly in file path construction without proper sanitization, enabling path traversal attacks. This vulnerability is particularly severe as it bypasses authentication requirements, allowing unauthorized access to file writing capabilities on the server.

Impact

Exploitation of this vulnerability leads to unauthenticated arbitrary file writes, with the attacker controlling both the file content and the write location. This could overwrite critical application or system files, causing a denial-of-service condition or potentially allowing remote code execution, especially if malicious files are written to directories monitored by a cron job or systemd timer.

Reproduction

To reproduce this vulnerability, send a POST request to the '/api/uploadChunked/public' endpoint with the 'blob' parameter containing a file, the 'chunkPart' and 'totalChunks' parameters set to '1', and the 'checkSum' parameter crafted to traverse directories (e.g., '../../../../../tmp/fireshare_poc'). The server will write the file to the specified path, demonstrating the path traversal and arbitrary file write capabilities.

Remediation

Users are advised to update to Fireshare version 1.5.3 or later, where this vulnerability has been patched by applying proper input sanitization and path traversal guards to the public upload endpoint.