Research

Path Traversal in slowscript.httpfileserver

The Android application HTTP File Server (Version 1.4.1) by 'slowscript' is affected by a Path Traversal vulnerability which permits arbitrary directory listing, file read, and file write.

Eddie Zhang

2 min read
Path Traversal in slowscript.httpfileserver

Versions below 1.4.1 are also probably impacted but this hasn't been validated. This vulnerability was assigned CVE-2021-40668.

The application permits users to configure a 'root directory' which is intended to restrict the root level directory users are permitted to see within.

Application Screenshot Showing Root Directory Configuration

Browsing the application we see the GUI doesn't permit us to go up directories.

Restricted Browsing to Download Folder

Unfortunately bypassing this is as simple as it is in the textbooks.

Arbitrary Directory Listing

We can send a path traversal payload to the mobile application and render the response.

Exploiting Arbitrary Directory Listing
Showing Response in Browser

Arbitrary File Read

Exploiting Arbitrary File Read

Arbitrary File Write

Exploiting Arbitrary File Write
Validating File Write at Upper Directory

Project Black is an Australian penetration testing company specialising in helping organisations identify and remediate security weaknesses before they can be exploited.