goshs Authorization Bypass Vulnerability in State-Changing Routes

A critical authorization bypass vulnerability has been identified in goshs, a SimpleHTTPServer written in Go. This issue affects versions through 2.0.0-beta.3. The vulnerability arises because goshs enforces its per-folder .goshs ACL/basic-auth mechanism for directory listings and file reads, but not for state-changing operations such as file uploads, directory creation, and file deletions. As a result, an unauthenticated attacker can exploit this oversight to manipulate files and directories within .goshs-protected areas. The attacker can upload files via PUT or multipart POST requests, create directories using the ?mkdir parameter, and delete files, including the .goshs file itself, thereby removing the folder's authentication policy and accessing previously protected content without credentials. This vulnerability undermines the confidentiality, integrity, and availability of the affected system.

Impact

Exploitation of this vulnerability allows for unauthorized file uploads, directory creations, and file deletions within protected areas, including the removal of the .goshs authentication file, which can lead to unauthorized access of previously secured content.

Reproduction

To reproduce this vulnerability, upload a file using a PUT request or a multipart POST request to the '/upload' endpoint, create a directory using the '?mkdir' parameter, or delete a file using the '?delete' parameter, all within a .goshs-protected directory. The .goshs file can be deleted through the unauthenticated delete route, removing the folder's authentication barrier and allowing access to previously protected files without credentials.

Remediation

Update to goshs version 2.0.0-beta.4 or later, where this vulnerability has been fixed. In the updated version, .goshs authorization checks are enforced for all state-changing operations, and the .goshs file is protected in mutation handlers.