goshs SFTP Command Rename Vulnerability Allowing Write Outside Root Directory
Vulnerability
A vulnerability exists in goshs versions 1.0.7 prior to 2.0.0-beta.4, specifically within the SFTP command rename functionality. The issue arises because the rename command only sanitizes the source path, leaving the destination path vulnerable. This oversight allows users to write files outside the designated root directory for SFTP uploads.
Impact
Exploitation of this vulnerability enables unauthorized file writing outside the intended directory, which could lead to overwriting critical files such as SSH keys or application configuration files, potentially causing remote code execution.
Reproduction
To reproduce this vulnerability, upload a file to the SFTP server and then use the rename command to move the file to a destination path that is not properly sanitized. This can be done by specifying a full path that writes outside the root directory of the SFTP server.
Remediation
Users can update to goshs version 2.0.0-beta.4 or later, where this vulnerability has been fixed.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.