goshs Cross-Site Request Forgery Vulnerability in State-Changing GET Routes

A cross-site request forgery (CSRF) vulnerability has been identified in goshs versions 2.0.0-beta.4 prior to 2.0.0-beta.5. This issue allows external attackers to exploit state-changing HTTP GET routes, causing authenticated users' browsers to perform destructive actions such as file deletion and directory creation. The vulnerability arises because goshs relies solely on HTTP basic authentication for validation and does not implement CSRF protections or validate the Origin or Referer headers for these routes. The vulnerability has been patched in version 2.0.0-beta.6.

Impact

Exploitation of this vulnerability allows an attacker to manipulate the filesystem on the server where goshs is running, by deleting files and creating directories, all without the knowledge or consent of the authenticated user.

Reproduction

The vulnerability can be reproduced by uploading an image to a server that is running goshs beta 5 with HTTP basic authentication. The image should be hosted on a different server or port. When the image is loaded in a browser, it will trigger the CSRF vulnerability by sending a request to the goshs server to delete a file or create a directory, depending on the route accessed. This can be automated with a script that handles the authentication and request sending.

Remediation

Users are advised to update to goshs version 2.0.0-beta.6 or later. Additionally, it is recommended to move state-changing actions off GET routes and implement CSRF protections, such as per-request tokens and strict validation of Origin and Referer headers.