Daptin Unauthenticated Path Traversal and Zip Slip Vulnerability
Daptin versions up to and including v0.11.3 are vulnerable to unauthenticated path traversal and zip slip attacks via the cloudstore.file.upload action, allowing arbitrary file write and potential remote code execution.
Daptin, a cloud application, is susceptible to a critical vulnerability affecting versions up to and including v0.11.3. The vulnerability resides in the cloudstore.file.upload action within the server/actions/action_cloudstore_file_upload.go component. This flaw stems from the insufficient validation of user-supplied filenames during file uploads, enabling unauthenticated attackers to perform path traversal and zip slip attacks. By manipulating filenames, attackers can write arbitrary files to the server's file system. This can lead to overwriting critical system files, injecting malicious code, and ultimately achieving remote code execution. The unauthenticated nature of the vulnerability makes it easily exploitable and poses a significant risk to Daptin deployments.
Attack Chain
- An unauthenticated attacker sends a malicious HTTP request to the Daptin server targeting the
cloudstore.file.uploadaction. - The request includes a crafted filename containing path traversal sequences (e.g.,
../,..\\). - The Daptin server's
action_cloudstore_file_upload.goprocesses the request without proper validation of the filename. - The server attempts to write the uploaded file to a location derived from the malicious filename.
- Due to the path traversal sequences, the file is written to an arbitrary location on the server's file system, outside the intended upload directory.
- If the uploaded file is a ZIP archive, the attacker can further exploit the vulnerability using a zip slip attack by including filenames with directory traversal characters inside the archive.
- The server extracts the files from the ZIP archive, writing them to arbitrary locations based on the manipulated filenames inside the archive.
- The attacker overwrites critical system files or injects malicious code (e.g., a web shell) leading to remote code execution on the Daptin server.
Impact
Successful exploitation of this vulnerability allows unauthenticated attackers to write arbitrary files to the Daptin server's file system. This can lead to several severe consequences, including: overwriting critical system files, injecting malicious code (e.g., web shells), gaining unauthorized access to sensitive data, and ultimately achieving remote code execution. Given the CVSS score of 10.0, this vulnerability poses a critical risk to organizations using affected versions of Daptin. Without proper patching or workarounds, affected systems are highly susceptible to compromise.
Recommendation
- Upgrade to a patched version of Daptin as soon as it is released to remediate the underlying vulnerability (reference: Patches section).
- Implement temporary mitigation by restricting access to the
cloudstore.file.uploadaction through authentication and authorization controls until a patch is available (reference: Workarounds section). - Deploy the Sigma rule
Detect Daptin Path Traversal in Uploadto monitor for suspicious file upload requests with path traversal sequences in the filename (reference: Sigma rule).
Detection coverage 1
Detect Daptin Path Traversal in Upload
criticalDetects attempts to exploit the Daptin path traversal vulnerability by monitoring HTTP requests to the cloudstore.file.upload action containing path traversal sequences in the filename.
Detection queries are available on the platform. Get full rules →