AzuraCast Path Traversal Vulnerability in Media Upload Endpoint Allows Remote Code Execution

A path traversal vulnerability has been identified in AzuraCast versions prior to 0.23.6. The issue arises in the Flow.js media upload endpoint, where the 'currentDirectory' request parameter is not properly sanitized. This flaw enables authenticated users with media management permissions to write arbitrary files outside the designated media storage directory, particularly when using the default local filesystem storage. The vulnerability can be exploited by uploading a PHP webshell to the web root, leading to remote code execution.

Impact

Exploitation of this vulnerability allows for remote code execution on the server, with the executed code running as the user under which AzuraCast operates. This could lead to a full server compromise, as the user could access sensitive files, including database credentials and application secrets, and potentially escalate privileges to gain full administrative rights on the server.

Reproduction

To reproduce this vulnerability, upload a PHP file containing a webshell (such as one that executes system commands) through the Flow.js media upload endpoint. Include a path traversal sequence in the 'currentDirectory' parameter to write the file outside the intended directory. After the upload, the webshell can be accessed and used to execute commands on the server.

Remediation

Users can update to AzuraCast version 0.23.6 or later, where this vulnerability has been patched. The update is available through the AzuraCast update process.