Daptin Unauthenticated Path Traversal in File Upload Handler
Daptin's cloudstore.file.upload action fails to validate user-supplied filenames, enabling unauthenticated attackers to write arbitrary files to disk via path traversal and zip slip attacks. This vulnerability bypasses authentication entirely and presents immediate RCE risk.
CVE References
Affected
Vulnerability Analysis
Vulnerability Description & Root Cause
The vulnerability exists in server/actions/action_cloudstore_file_upload.go where user-controlled filenames are written directly to disk without sanitization. This is a classic CWE-22 (Path Traversal) vulnerability compounded by zip slip attack vectors. The root cause is the absence of filename validation, normalization, and canonical path resolution before file I/O operations. Attackers can inject path traversal sequences (e.g., ../../../etc/passwd) or craft malicious zip archives containing paths that escape intended directories, leading to arbitrary file writes outside the upload directory.
PoC Significance for Defenders
The existence of this PoC proves the vulnerability is trivial to exploit—it requires no authentication, no special privileges, and operates over standard HTTP/HTTPS network boundaries (CVSS:3.1/AV:N/AC:L/PR:N/UI:N). The reliability is extremely high given the straightforward nature of the flaw. Organizations running Daptin <= v0.11.3 should treat this as actively exploitable in the wild. The unauthenticated nature means even perimeter-level attacks are viable, and the zip slip component extends the threat to systems accepting compressed uploads.
Detection Guidance
- Web Application Firewall (WAF): Monitor for HTTP POST/PUT requests to
/actions/cloudstore.file.uploadendpoints containing path traversal payloads (../,..\, URL-encoded variants%2e%2e%2f). - Log Indicators: Search application logs for file creation events with paths containing parent directory references or unexpected locations outside configured upload directories. Monitor for failed file permission errors preceding successful writes.
- Network Signatures: IDS/IPS rules should flag requests with filenames containing null bytes (
%00), backslashes, or sequences of dot-slash combinations. - Filesystem Monitoring: HIDS tools (osquery, Auditd) should alert on unexpected file creation in sensitive directories (
/etc,/usr/local/bin,/var/www) originating from the Daptin process.
Mitigation Steps
- Immediate: Restrict network access to Daptin instances; implement IP whitelisting or authentication proxy layers.
- Short-term: Apply authentication/authorization controls to the
cloudstore.file.uploadaction via Daptin's permission system until patching. - Medium-term: Upgrade to a patched version immediately upon release (watch the GitHub advisory).
- Configuration Hardening: Run Daptin with minimal filesystem permissions; use chroot/containerization to limit blast radius of file writes.
- Input Validation Deployment: If patched version is delayed, implement a reverse proxy rule to strip/reject filenames containing
..,./,%2e, or null bytes.
Risk Assessment
Likelihood of Exploitation: Very High. The attack requires zero authentication, minimal sophistication, and delivers file write capabilities. Automated scanning tools will likely detect and exploit unpatched instances. Threat actors actively scan for file upload vulnerabilities as entry points for persistence and RCE.
Threat Actor Interest: Critical. Path traversal leading to arbitrary file writes is a direct pathway to RCE if attackers can write executable code (web shells in web roots, scripts in cron directories, shared libraries). The unauthenticated nature makes this a strategic reconnaissance and initial access target.
Exploitation in the Wild: Expect active exploitation given CVSS 10.0 criticality, public advisory disclosure, and straightforward attack mechanics. Enterprises running internet-facing Daptin instances are at immediate risk.
Sources