Algernon Path Traversal Vulnerability Allowing Arbitrary File Writes

A path traversal vulnerability has been identified in Algernon versions prior to 1.17.6. The issue arises in the uploadedFileSaveIn() function within lua/upload/upload.go, where user-supplied directory inputs are joined using filepath.Join() without proper boundary checks. This flaw allows an attacker to manipulate the file path, potentially writing files outside the intended directory. For example, a directory input of '../../../tmp' would resolve to '/tmp', outside the web root. If Algernon is run as root and configured for file uploads without adequate safeguards in the user-provided Lua code, this vulnerability could be exploited to upload files to sensitive areas of the system.

Impact

Exploitation of this vulnerability could lead to unauthorized file uploads to arbitrary locations on the server, potentially overwriting critical files or filling up disk space. If Algernon is running as root, uploaded files could be placed in system directories, whereas a non-root installation would confine uploads to the user's home directory.

Remediation

Users are advised to upgrade to Algernon version 1.17.6 or later, where this vulnerability has been patched. For those using systemd to manage the Algernon service, it is recommended to implement a stricter service file that limits file upload capabilities. Additionally, reviewing and enhancing the safeguards in the Lua source code can help mitigate the risk of exploitation.