Summary
An attacker can leak local files including environment variables, nginx logs and configuration secrets due to a path traversal exploit in SecurePathController.php.
Details
The class SecurePathController.php does not do any checks against path traversal and thus allows a low privileged user to leak any files on the system, this can be used to leak environment variables using requests like GET /image/..%2fconf%2f.env and GET /image/..%2fvar%2fwww%2fhtml%2fLychee%2f.env this can also leak the nginx log history which would allow an attacker to see all the other requests made to the website and be able to leak other user's uploaded images.
PoC
Any user can see any system files even without admin by making a simple request like:
Impact
If an attacker has access to any low privileged user account it's able to exploit the file path traversal and leak private server information aswell as other user's private uploads.
Patch
The patch to resolve this issue is found here: ae7270b
Summary
An attacker can leak local files including environment variables, nginx logs and configuration secrets due to a path traversal exploit in SecurePathController.php.
Details
The class SecurePathController.php does not do any checks against path traversal and thus allows a low privileged user to leak any files on the system, this can be used to leak environment variables using requests like
GET /image/..%2fconf%2f.envandGET /image/..%2fvar%2fwww%2fhtml%2fLychee%2f.envthis can also leak the nginx log history which would allow an attacker to see all the other requests made to the website and be able to leak other user's uploaded images.PoC
Any user can see any system files even without admin by making a simple request like:
Impact
If an attacker has access to any low privileged user account it's able to exploit the file path traversal and leak private server information aswell as other user's private uploads.
Patch
The patch to resolve this issue is found here: ae7270b