A vulnerability has been discovered in Agnai that permits attackers to upload image files at attacker-chosen location on the server. This issue can lead to image file uploads to unauthorized or unintended directories, including overwriting of existing images which may be used for defacement.
This does not affect:
https://cwe.mitre.org/data/definitions/35.html
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
This is a path traversal vulnerability. An attacker can exploit this vulnerability by sending a specially crafted request to the editCharacter
handler https://github.com/agnaistic/agnai/blob/75abbd5b0f5e48ddecc805365cf1574d05ee1ce5/srv/api/character.ts#L140:
POST /api/character/28cbe508-2fa9-4890-886e-61d73e22006c%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%61%70%70%2f%64%69%73%74%2f%64%61%6e%79%61%6e%67 HTTP/1.1
The path traversal character sequence makes it’s way into the id
variable which is then string interpolated into filename
.
export async function entityUpload(kind: string, id: string, attachment?: Attachment) {
if (!attachment) return
const filename = `${kind}-${id}`
return upload(attachment, filename)
}
https://github.com/agnaistic/agnai/blob/75abbd5b0f5e48ddecc805365cf1574d05ee1ce5/srv/api/upload.ts#L55
No path normalization is conducted nor checked, so attackers can freely manipulate the path which the file is uploaded to.
This vulnerability is classified as a path traversal vulnerability. Attackers can upload image files to arbitrary locations, potentially overwriting critical system image files.
Security research in collaboration with Analyst Danyang Liu (noe223) @noe233