WebStack-Guns Path Traversal (CWE-22) Submitter: sh7err@vEcho Target Product: WebStack-Guns (open-source navigation CMS) Affected Version: 1.0 (current master) Tested Environment: commit HEAD of https://github.com/jsnjfz/WebStack-Guns on Java 8 / Spring Boot 2.0.1 Vulnerability Type: Path Traversal leading to arbitrary file read CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (Base 7.5) Summary The public /kaptcha/{pictureId} endpoint fails to sanitize the attacker-controlled pictureId parameter before concatenating it with the configured upload path. Any remote user can perform directory traversal and force the server to return arbitrary files readable by the application user. Component Overview com.jsnjfz.manage.modular.system.controller.KaptchaController#renderPicture (src/main/java/com/jsnjfz/manage/modular/system/controller/KaptchaController.java:114-127) com.jsnjfz.manage.config.web.shiroFilter (src/main/java/com/jsnjfz/manage/config/web/ShiroConfig.java:140-189) com.jsnjfz.manage.config.properties.GunsProperties#getFileUploadPath Proof of Concept 1. Deploy WebStack-Guns with the default configuration where guns.file-upload-path points to a writable directory (e.g., /tmp/). 2. Send the following HTTP request without authenticating: 3. The controller builds path = + ".././.././../etc/passwd", resolves it via FileUtil.toByteArray, and streams the bytes back in the HTTP response. Root Cause Analysis pictureId is directly concatenated to the upload directory without normalization. The application exposes /kaptcha/** to unauthenticated users via Shiro's filter chain. GunsProperties#getFileUploadPath performs no sanitization and therefore does not prevent traversal. Impact This flaw allows any remote network attacker to read arbitrary files accessible to the application service account. Attackers can obtain database passwords from application.yml or chain with other vulnerabilities. Recommended Remediation 1. Treat pictureId as untrusted input. Reject any value containing directory traversal characters. 2. Construct filesystem paths using Paths.get(uploadDir, pictureId).normalize() and ensure the path starts with the intended upload base directory. 3. Consider serving uploaded thumbnails through a dedicated controller.