Casdoor Local File System Storage Provider Path Traversal Vulnerability Allowing Arbitrary File Write

A path traversal vulnerability allowing arbitrary file write has been identified in Casdoor's Local File System storage provider. This issue arises from inadequate sanitization of user-supplied file paths. An authenticated attacker with administrative privileges can exploit this vulnerability by uploading files through the '/api/upload-resource' endpoint, bypassing the application's intended storage sandbox and overwriting or creating files anywhere on the host filesystem.

Impact

Exploitation of this vulnerability could lead to unauthorized file creation or modification on the host system. This includes overwriting files accessible to the Casdoor process, potentially disrupting authentication services by modifying the backend database file 'casdoor.db'. Such actions could lock out users and affect applications dependent on Casdoor.

Remediation

A pull request has been submitted to the Casdoor repository to address this vulnerability by implementing proper validation of storage paths. In the meantime, administrators should limit administrative access, restrict the filesystem permissions of the Casdoor service account, and avoid using the Local File System provider in multi-user or exposed environments.