goshs Cross-Site Request Forgery Vulnerability in PUT Upload Handler

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the goshs SimpleHTTPServer application written in Go, affecting versions through 2.0.1. The issue arises in the PUT upload handler, which lacks the CSRF token validation present in the POST upload handler. This vulnerability is compounded by a permissive Cross-Origin Resource Sharing (CORS) policy that allows any website to send PUT requests to the goshs server. As a result, arbitrary files can be written to the goshs instance from the victim's browser, bypassing network isolation.

Impact

Exploitation of this vulnerability allows for arbitrary file writes to the goshs webroot, with the potential to silently overwrite existing files.

Reproduction

To reproduce this vulnerability, upload a file using a PUT request from a website that you control. The goshs server will accept the file without CSRF token validation, and the file will be written to the webroot, potentially overwriting an existing file.

Remediation

Users can upgrade to goshs version 2.0.2, which addresses this vulnerability by adding CSRF token validation to the PUT upload handler and removing the wildcard CORS policy.