Trilium Notes Local File Inclusion Vulnerability in Attachment Upload API

A local file inclusion vulnerability has been identified in Trilium Notes versions prior to 0.102.2. This issue allows authenticated attackers to read sensitive arbitrary files from the server's filesystem. The vulnerability arises in the 'uploadModifiedFileToAttachment' function, which is triggered by a POST request to '/api/attachments/{attachmentId}/upload-modified-file'. This function replaces the content of an attachment with that of another file, specified by its path in the request body. After the file is uploaded, the attachment can be downloaded via '/api/attachments/{attachmentId}/download', potentially exposing sensitive system files such as SSH keys, credentials, configuration files, and other operating system files. This could lead to remote code execution and compromise of applications co-hosted on the same server.

Impact

Exploitation of this vulnerability allows for local file inclusion, enabling attackers to read sensitive files from the server. This could include private SSH keys, configuration files, credentials for backend systems, and sensitive files from other applications and services running on the same server. Additionally, according to the GitHub advisory, this vulnerability could be exploited to perform remote code execution by retrieving private SSH keys.

Reproduction

To reproduce this vulnerability, upload an attachment and note the 'attachmentId'. Then, send a POST request to '/api/attachments/{attachmentId}/upload-modified-file', including the 'x-csrf-token' header, 'Content-Type' as 'application/json', and a JSON body with the 'filePath' key set to a path of a sensitive file, such as '/etc/passwd'. After the file is uploaded, send a GET request to '/api/attachments/{attachmentId}/download' to retrieve the contents of the included file, which will be the sensitive file specified earlier.

Remediation

Users are advised to update Trilium Notes to version 0.102.2 or later, where this vulnerability has been fixed.