+ "details": "### Summary\nThe `GET /?redirect` endpoint in `goshs` v2.0.0-beta.6 performs an HTTP redirect to any attacker-supplied `url=` value and writes any attacker-supplied `header=Name: Value` pair into the response, without scheme/host validation, without a header-name allow-list, without authentication in the default deployment, and without the `checkCSRF()` guard that GHSA-jrq5-hg6x-j6g3 added to the other state-changing GET routes (`?mkdir`, `?delete`). The same dispatcher also lacks an `fs.Invisible` branch, so the endpoint stays responsive in `-I` stealth mode and reliably fingerprints an \"invisible\" goshs deployment with a single request.\n\n\n### Details\n`httpserver/handler.go:222-228` — the dispatcher gates `?redirect` only with `denyForTokenAccess` (which only blocks share-token callers). It does not check `fs.Invisible` and does not call `checkCSRF`:\n\n```go\nif _, ok := req.URL.Query()[\"redirect\"]; ok {\n if denyForTokenAccess(w, req) {\n return true\n }\n fs.handleRedirect(w, req)\n return true\n}\n```\n\n`httpserver/handler.go:753-787` — `handleRedirect`:\n\n```go\nfunc (fs *FileServer) handleRedirect(w http.ResponseWriter, req *http.Request) {\n q := req.URL.Query()\n\n target := q.Get(\"url\") // (1) no scheme/host validation\n if target == \"\" { /* 400 */ }\n\n status := http.StatusFound\n if s := q.Get(\"status\"); s != \"\" { // (2) only constrained to 3xx\n code, err := strconv.Atoi(s)\n if err != nil || code < 300 || code > 399 { /* 400 */ }\n status = code\n }\n\n for _, h := range q[\"header\"] { // (3) arbitrary header set\n parts := strings.SplitN(h, \": \", 2)\n if len(parts) != 2 || strings.TrimSpace(parts[0]) == \"\" { /* 400 */ }\n w.Header().Set(strings.TrimSpace(parts[0]), parts[1])\n }\n\n http.Redirect(w, req, target, status) // (4) attacker Location\n\n body := fs.emitCollabEvent(req, status)\n logger.LogRequest(req, status, fs.Verbose, fs.Webhook, body)\n}\n```\n\n`httpserver/server.go:85-100` — `BasicAuthMiddleware` is registered only when `fs.User != \"\" || fs.Pass != \"\"`; the default `goshs` invocation has neither, so `?redirect` is open to anyone on the network._Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer._\n\n### PoC\n[poc.zip](https://github.com/user-attachments/files/26673401/poc.zip)\nPlease extract the uploaded compressed file before proceeding\n\n1. docker build -t goshs-poc .\n2. sh poc.sh\n\n<img width=\"1379\" height=\"197\" alt=\"스크린샷 2026-04-13 오후 8 04 20\" src=\"https://github.com/user-attachments/assets/a557846f-47c7-4640-9fc5-34aa099d1a57\" />\n\n\n### Impact\n- Cross-subdomain session fixation — `Set-Cookie: …; Domain=.corp.com` lands a fixed session on every sibling app on the parent domain.\n- TLS downgrade — `Strict-Transport-Security: max-age=0` invalidates prior HSTS state for the origin, enabling MITM on subsequent visits.",
![advisory-database[bot]](https://avatars.githubusercontent.com/in/21409?v=4&size=40){kind=avatar}
0 commit comments