VU#937808: Casdoor contains Ar... Note

VU#937808: Casdoor contains Arbitrary File Write vulnerability

Casdoor, an IAM platform, suffers from an arbitrary file write vulnerability due to improper path sanitization. The vulnerability lies within the "Local File System" storage provider, allowing authenticated users with upload privileges to write files outside the intended storage directory. Attackers exploit the /api/upload-resource endpoint by manipulating the pathPrefix parameter, using directory traversal techniques. This allows them to create or overwrite files on the host system, bypassing security restrictions. Successful exploitation can lead to various impacts, including file overwriting, persistence mechanisms, and database corruption. The attacker needs an authenticated session and file upload permissions to leverage this vulnerability. The severity of the impact depends on the Casdoor service account's privileges. A pull request has been submitted to fix the path validation issue. Users are advised to limit administrative access, restrict filesystem permissions, and avoid using the Local File System provider. The vulnerability was discovered and reported by Danilo Dell'Orco.