Attack Chain

1. An unauthenticated attacker sends a POST request to the /api/delete-file endpoint.
2. The attacker crafts the filesToDelete array within the request body to include filenames containing path traversal sequences (e.g., ../).
3. The application receives the POST request and processes the filesToDelete array without proper validation or sanitization of the provided filenames.
4. The application attempts to resolve the file path based on the attacker-supplied input, leading to directory traversal outside of the intended application directory.
5. The application proceeds to delete the files specified in the filesToDelete array based on the manipulated file paths.
6. The attacker targets critical application files such as server.js or package.json using the path traversal vulnerability.
7. The targeted critical files are successfully deleted by the application.
8. The application experiences a denial of service due to the absence of essential files required for its operation.

Impact

Successful exploitation of this vulnerability allows unauthenticated attackers to delete arbitrary files on the system. This can lead to the deletion of critical application files like server.js or package.json, resulting in a complete denial of service. Given the high CVSS score of 9.1, this vulnerability represents a significant risk. The absence of authentication by default makes exploitation straightforward, increasing the likelihood of successful attacks.

Recommendation

• Deploy the Sigma rule to detect malicious POST requests containing path traversal sequences targeting the /api/delete-file endpoint.
• Inspect web server logs for POST requests to /api/delete-file with filename parameters containing ../ sequences.
• Apply input validation and sanitization to the filesToDelete parameter in the /api/delete-file endpoint to prevent path traversal attacks.
• Enforce authentication on the /api/delete-file endpoint to restrict access to authorized users only.