Disclaimer
This vulnerability was detected using XBOW, a system that autonomously finds and exploits potential security vulnerabilities. The finding has been thoroughly reviewed and validated by a security researcher before submission. While XBOW is intended to work autonomously, during its development human experts ensure the accuracy and relevance of its reports.
Description
A path traversal vulnerability was discovered in GHOSTS version 8.0.0.0 that allows an attacker to access files outside of the intended directory through the photo retrieval endpoint. The vulnerability exists in the /api/npcs/{id}/photo endpoint, which is designed to serve profile photos for NPCs (Non-Player Characters) but fails to properly validate and sanitize file paths.
When an NPC is created with a specially crafted photoLink value containing path traversal sequences (../, .., etc.), the application processes these sequences without proper sanitization. This allows an attacker to traverse directory structures and access files outside of the intended photo directory, potentially exposing sensitive system files.
The vulnerability is particularly severe because it allows reading arbitrary files from the server's filesystem with the permissions of the web application process, which could include configuration files, credentials, or other sensitive data.
Steps to Reproduce
- Create a new NPC by sending a POST request to /api/npcs with a valid GUID and including path traversal in the photoLink:
POST /api/npcs HTTP/1.1
Host: ghosts:5000
Content-Type: application/json
{
"id": "<valid-guid>",
"name": {"firstName": "test", "lastName": "test"},
"photoLink": "..//../..//../..//etc/passwd"
}
- Access the photo endpoint for the created NPC:
GET /api/npcs/<npc-id>/photo HTTP/1.1
Host: ghosts:5000
After following these steps, the server responds with the contents of the target file instead of a legitimate photo, demonstrating successful path traversal. The application returns the file content with a Content-Type of image/jpg, regardless of the actual file type.
Mitigations available in GHOSTS API v8.2.7.90 and later
- Path validation and sanitization that removes or blocks path traversal sequences (../, .., etc.) before processing file paths.
- Must call a valid image directory and must be a valid image extension (jpeg, jpg, png).
Impact
This vulnerability allows authenticated users to read arbitrary files from the server's filesystem that are accessible to the application's service account. The impact is high as it could lead to exposure of sensitive information such as configuration files, credentials, or other confidential data stored on the server.
xbow-security Reporter
Disclaimer
This vulnerability was detected using XBOW, a system that autonomously finds and exploits potential security vulnerabilities. The finding has been thoroughly reviewed and validated by a security researcher before submission. While XBOW is intended to work autonomously, during its development human experts ensure the accuracy and relevance of its reports.
Description
A path traversal vulnerability was discovered in GHOSTS version 8.0.0.0 that allows an attacker to access files outside of the intended directory through the photo retrieval endpoint. The vulnerability exists in the /api/npcs/{id}/photo endpoint, which is designed to serve profile photos for NPCs (Non-Player Characters) but fails to properly validate and sanitize file paths.
When an NPC is created with a specially crafted photoLink value containing path traversal sequences (../, .., etc.), the application processes these sequences without proper sanitization. This allows an attacker to traverse directory structures and access files outside of the intended photo directory, potentially exposing sensitive system files.
The vulnerability is particularly severe because it allows reading arbitrary files from the server's filesystem with the permissions of the web application process, which could include configuration files, credentials, or other sensitive data.
Steps to Reproduce
After following these steps, the server responds with the contents of the target file instead of a legitimate photo, demonstrating successful path traversal. The application returns the file content with a Content-Type of image/jpg, regardless of the actual file type.
Mitigations available in GHOSTS API v8.2.7.90 and later
Impact
This vulnerability allows authenticated users to read arbitrary files from the server's filesystem that are accessible to the application's service account. The impact is high as it could lead to exposure of sensitive information such as configuration files, credentials, or other confidential data stored on the server.