goshs SFTP Authentication Bypass Vulnerability

An authentication bypass vulnerability in the SFTP service of goshs, a SimpleHTTPServer written in Go, has been identified in versions prior to 2.0.0-beta.6. The issue arises when the empty-username basic-auth syntax is used. If the server is started with the empty username and a password, it accepts the configuration but fails to install the necessary SFTP password handler. Consequently, an unauthenticated network attacker can connect to the SFTP service and access files without a password.

Impact

Exploitation of this vulnerability allows unauthenticated access to the SFTP service, enabling an attacker to read, upload, rename, and delete files within the configured SFTP root, depending on the server mode and filesystem permissions.

Reproduction

The vulnerability can be reproduced by starting the goshs server with the '-b ':pass'' option to specify an empty username and a password, along with the '-sftp' option to enable SFTP. Once the server is running, an SFTP client can connect to the server without a password or key and access files, demonstrating the authentication bypass.

Remediation

Users are advised to update to goshs version 2.0.0-beta.6 or later, where this vulnerability has been fixed.