System Path Disclosure Vulnerability in /adminFile/upload (CWE-209) #26
Description
System Path Disclosure Vulnerability in /adminFile/upload (CWE-209)
Summary
A system path disclosure vulnerability exists in the /adminFile/upload endpoint. The application’s DTO (Data Transfer Object) layer is improperly configured, causing it to directly return the full entity object to the frontend. As a result, sensitive information such as the real file storage path on the server is exposed in API responses. This information can be leveraged by attackers to gain insights into the server’s file structure, increasing the risk of further exploitation.
Details
When a file is uploaded via /adminFile/upload, the application returns the entire entity object without filtering sensitive fields. The response includes the absolute file path on the server, which should not be exposed externally.
This type of information exposure is categorized under CWE-209: Information Exposure Through an Error Message or Debug Interface, as it reveals server-side implementation details that could assist attackers in identifying valuable targets or crafting further attacks.
Proof of Concept (PoC)
- Send a file upload request to the vulnerable endpoint:
POST /adminFile/upload HTTP/1.1
Host: localhost
Sec-Fetch-Mode: cors
Cookie: Admin-Token=7d0dbfa312c24cacb580fb124589e3e2
Sec-Fetch-Site: same-origin
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36
Accept-Language: zh-CN,zh;q=0.9
sec-ch-ua-mobile: ?0
Accept-Encoding: gzip, deflate, br, zstd
Admin-Token: 7d0dbfa312c24cacb580fb124589e3e2
Referer: http://localhost/index.html
Origin: http://localhost
sec-ch-ua-platform: "Windows"
Accept: application/json, text/plain, */*
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryL8sJl8GxTDNt7sFa
Sec-Fetch-Dest: empty
sec-ch-ua: "Not)A;Brand";v="8", "Chromium";v="138", "Google Chrome";v="138"
Content-Length: 11378
------WebKitFormBoundaryL8sJl8GxTDNt7sFa
Content-Disposition: form-data; name="file"; filename="2.jpg"
Content-Type: image/jpeg
{{unquote("\xff\xd8\xff\xe0\x00\x10JFIF\x00\x01\x01\x00\x00\x01\x00\x01\x00\x00\xff\xdb\x00\x84\x00\x09\x06\x07\x08\x07\x06\x09\x08\x07\x08\x0a\x0a\x09\x0b\x0d\x16\x0f\x0d\x0c\x0c\x0d\x1b\x14\x15\x10\x16 \x1d\"\" \x1d\x1f\x1f$\x284,$&1'\x1f\x1f-=-157:::#+?D?8C49:7\x01\x0a\x0a\x0a\x0d\x0c\x0d\x1a\x0f\x0f\x1a7%\x1f%77777777777777777777777777777777777777777777777777\xff\xc0\x00\x11\x08\x00\x94\x00\x94\x03\x01\"\x00\x02\x11\x01\x03\x11\x01\xff\xc4\x00\x1c\x00\x00\x01\x04\x03\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x05\x06\x07\x01\x03\x04\x08\xff\xc4\x006\x10\x00\x01\x04\x02\x01\x02\x04\x05\x03\x03\x04\x01\x05\x00\x00\x00\x01\x00\x02\x03\x04\x05\x11\x06\x12!\x07\x131A\x14\"Qa\x81q\x91\xa1#2B\x15$\xb1\xc1C\x16r\x82\xe1\xf1\xff\xc4\x00\x18\x01\x01\x01\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x03\x01\x04\xff\xc4\x00\x1c\x11\x01\x01\x01\x01\x01\x01\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x01\x02\x11\x12!1A\x03\xff\xda\x00\x0c\x03\x01\x00\x02\x11\x03\x11\x00?\x00\xbcP\x84 \x10\x84 \xc6\xd1\xb5\x82V6\x81[YIjR\x01\x08B\x01\x08B\x01\x08B\x01\x08B\x01\x08B\x01\x08B\x01\x08X'H\x02V\xb7<\x84\xa794rl\xbcX<=\x9b\xf2\x90\x04m- Observe the response, which contains the actual file storage path on the system.
Impact
-
Information Disclosure: Attackers can gain insights into the server’s directory structure.
-
Facilitates Further Exploits: Leaked paths may assist attackers in performing path traversal, arbitrary file read, or local file inclusion (LFI) attacks if combined with other vulnerabilities.
-
Increased Attack Surface: Knowledge of exact file locations can speed up reconnaissance and privilege escalation attempts.
Root Cause
-
The backend directly returns entity objects instead of filtered DTOs.
-
Lack of response data sanitization allows sensitive internal fields, such as absolute file paths, to be exposed.
Recommendation
Implement a proper DTO layer that excludes sensitive fields such as absolute system paths from API responses. Only return necessary data (e.g., file ID or relative access URL) to clients.