Summary Local File Inclusion via Path Traversal in LiteStar Static File Serving A Local File Inclusion (LFI) vulnerability has been discovered in the static file serving component of LiteStar. This vulnerability allows attackers to exploit path traversal flaws, enabling unauthorized access to sensitive files outside the designated directories. Such access can lead to the disclosure of sensitive information or potentially compromise the server. Details The vulnerability is located in the file path handling mechanism within the static content serving function, specifically at line 70 in litestar/static_files/base.py. The function fails to properly validate the destination file path derived from user input, thereby permitting directory traversal. The critical code segment is as follows: python commonpath([str(directory), file_info["name"], joined_path]) Given the variables: python directory = PosixPath('/Users/brian/sandbox/test_vuln/static') file_info["name"] = '/Users/brian/sandbox/test_vuln/static/../requirements.txt' joined_path = PosixPath('/Users/brian/sandbox/test_vuln/static/../requirements.txt') The function outputs '/Users/brian/sandbox/test_vuln/static', incorrectly assuming it is confined to the static directory. This incorrect validation facilitates directory traversal, exposing the system to potential unauthorized access and manipulation. Proof of Concept (PoC) To reproduce this vulnerability, follow these steps: Set up the environment: Install with pip the…Read More