Summary
The GET /?redirect endpoint in goshs v2.0.0-beta.6 performs an HTTP redirect to any attacker-supplied url= value and writes any attacker-supplied header=Name: Value pair into the response, without scheme/host validation, without a header-name allow-list, without authentication in the default deployment, and without the checkCSRF() guard that GHSA-jrq5-hg6x-j6g3 added to the other state-changing GET routes (?mkdir, ?delete). The same dispatcher also lacks an fs.Invisible branch, so the endpoint stays responsive in -I stealth mode and reliably fingerprints an "invisible" goshs deployment with a single request.
Details
httpserver/handler.go:222-228 — the dispatcher gates ?redirect only with denyForTokenAccess (which only blocks share-token callers). It does not check fs.Invisible and does not call checkCSRF:
if _, ok := req.URL.Query()["redirect"]; ok {
if denyForTokenAccess(w, req) {
return true
}
fs.handleRedirect(w, req)
return true
}httpserver/handler.go:753-787 — handleRedirect:
func (fs *FileServer) handleRedirect(w http.ResponseWriter, req *http.Request) {
q := req.URL.Query()
target := q.Get("url") // (1) no scheme/host validation
if target == "" { /* 400 */ }
status := http.StatusFound
if s := q.Get("status"); s != "" { // (2) only constrained to 3xx
code, err := strconv.Atoi(s)
if err != nil || code < 300 || code > 399 { /* 400 */ }
status = code
}
for _, h := range q["header"] { // (3) arbitrary header set
parts := strings.SplitN(h, ": ", 2)
if len(parts) != 2 || strings.TrimSpace(parts[0]) == "" { /* 400 */ }
w.Header().Set(strings.TrimSpace(parts[0]), parts[1])
}
http.Redirect(w, req, target, status) // (4) attacker Location
body := fs.emitCollabEvent(req, status)
logger.LogRequest(req, status, fs.Verbose, fs.Webhook, body)
}httpserver/server.go:85-100 — BasicAuthMiddleware is registered only when fs.User != "" || fs.Pass != ""; the default goshs invocation has neither, so ?redirect is open to anyone on the network.Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer.
PoC
poc.zip
Please extract the uploaded compressed file before proceeding
- docker build -t goshs-poc .
- sh poc.sh
Impact
- Cross-subdomain session fixation —
Set-Cookie: …; Domain=.corp.com lands a fixed session on every sibling app on the parent domain.
- TLS downgrade —
Strict-Transport-Security: max-age=0 invalidates prior HSTS state for the origin, enabling MITM on subsequent visits.
References
wooseokdotkim Reporter
Summary
The
GET /?redirectendpoint ingoshsv2.0.0-beta.6 performs an HTTP redirect to any attacker-suppliedurl=value and writes any attacker-suppliedheader=Name: Valuepair into the response, without scheme/host validation, without a header-name allow-list, without authentication in the default deployment, and without thecheckCSRF()guard that GHSA-jrq5-hg6x-j6g3 added to the other state-changing GET routes (?mkdir,?delete). The same dispatcher also lacks anfs.Invisiblebranch, so the endpoint stays responsive in-Istealth mode and reliably fingerprints an "invisible" goshs deployment with a single request.Details
httpserver/handler.go:222-228— the dispatcher gates?redirectonly withdenyForTokenAccess(which only blocks share-token callers). It does not checkfs.Invisibleand does not callcheckCSRF:httpserver/handler.go:753-787—handleRedirect:httpserver/server.go:85-100—BasicAuthMiddlewareis registered only whenfs.User != "" || fs.Pass != ""; the defaultgoshsinvocation has neither, so?redirectis open to anyone on the network.Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer.PoC
poc.zip
Please extract the uploaded compressed file before proceeding
Impact
Set-Cookie: …; Domain=.corp.comlands a fixed session on every sibling app on the parent domain.Strict-Transport-Security: max-age=0invalidates prior HSTS state for the origin, enabling MITM on subsequent visits.References