From 67f42381c44af7a7e8f07cf8f514a2663b7ba749 Mon Sep 17 00:00:00 2001 From: ildyria Date: Wed, 18 Jun 2025 00:25:17 +0200 Subject: [PATCH 1/4] version 6.6.10 --- docs/releases.md | 39 +++++++++++++++++++++++ src/components/widgets/Announcement.astro | 8 +++-- 2 files changed, 45 insertions(+), 2 deletions(-) diff --git a/docs/releases.md b/docs/releases.md index 96f7c437..6492580c 100644 --- a/docs/releases.md +++ b/docs/releases.md @@ -30,6 +30,45 @@ ## Version 6 +### v6.6.10 + +Released on Jun 18, 2025 + +#### Security release: MAJOR Vulnerability fix (9.8) + +Lychee version between 6.6.6 and 6.6.9 (included) are vulnerable to a path traversal attack. +This leads the attacker being able to read any files on the server, including `/etc/passwd` and `.env` files... + +#### What to do? + +We strongly recommend that you consider your installation compromised and rotate your secret key using `php artisan key:generate`. +If you are using docker you can do this by running the following command: +```bash +docker exec -it php artisan key:generate +``` +Or modify the value of `APP_KEY` in your `.env` file. This will also invalidate all existing sessions. + +#### The vulnerability + +This vulnerability miss-uses the `$path` variable sent to the server, which is used to access the photos via the `SecurePathController`. +We wrongly assumed that `Storage::disk(StorageDiskType::LOCAL->value)->path($path);` was protected against path traversal attacks which lead to this vulnerability. + +When both the encrypted links and the temporary links are disabled, it is possible to call the endpoint with fictuous path values. Ironically, by enabling either of the functionality, the endpoint becomes secure again. + +#### The fix + +We applied defense in depth: + +1. when neither functionality are enabled, we direclty return a 401/403 error on any call to `/image/{path}`. +2. when either of the functionality are enabled, we check that the `$path` value generated by `Storage::disk(StorageDiskType::LOCAL->value)->path($path);` is within the intended image directory. Should this happen, we return a 418 error code (I'm a teapot) which can later be used to detect malicious calls and combined with fail-2-ban to block the IP address of the attacker. + +#### Credits + +We would really like to thank [@MrRauL124](https://github.com/MrRauL124) for reporting this vulnerability. + +* `fixes` #3469 : Fix path traversal attack + bump version. + + ### v6.6.9 Released on Jun 17, 2025 diff --git a/src/components/widgets/Announcement.astro b/src/components/widgets/Announcement.astro index 9e21527b..2c210f36 100644 --- a/src/components/widgets/Announcement.astro +++ b/src/components/widgets/Announcement.astro @@ -9,9 +9,13 @@ class="text-slate-200 dark:bg-sky-700 bg-sky-600 dark:text-slate-200 font-semibold px-1 py-0.5 text-xs mr-0.5 rtl:mr-0 rtl:ml-0.5 inline-block" >NEW + Lychee 6.6.9 is now available! »CVE 9.8 in Lychee 6.6.9, update Lychee 6.6.10 as soon as possible! » Date: Wed, 18 Jun 2025 00:49:44 +0200 Subject: [PATCH 2/4] Update src/components/widgets/Announcement.astro Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- src/components/widgets/Announcement.astro | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/components/widgets/Announcement.astro b/src/components/widgets/Announcement.astro index 2c210f36..2fbeec6c 100644 --- a/src/components/widgets/Announcement.astro +++ b/src/components/widgets/Announcement.astro @@ -15,7 +15,7 @@ > --> CVE 9.8 in Lychee 6.6.9, update Lychee 6.6.10 as soon as possible! »CVSS 9.8 in Lychee 6.6.9, update Lychee 6.6.10 as soon as possible! » Date: Wed, 18 Jun 2025 00:49:49 +0200 Subject: [PATCH 3/4] Update docs/releases.md Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- docs/releases.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/releases.md b/docs/releases.md index 6492580c..6bbd4377 100644 --- a/docs/releases.md +++ b/docs/releases.md @@ -59,7 +59,7 @@ When both the encrypted links and the temporary links are disabled, it is possib We applied defense in depth: -1. when neither functionality are enabled, we direclty return a 401/403 error on any call to `/image/{path}`. +1. when neither functionality are enabled, we directly return a 401/403 error on any call to `/image/{path}`. 2. when either of the functionality are enabled, we check that the `$path` value generated by `Storage::disk(StorageDiskType::LOCAL->value)->path($path);` is within the intended image directory. Should this happen, we return a 418 error code (I'm a teapot) which can later be used to detect malicious calls and combined with fail-2-ban to block the IP address of the attacker. #### Credits From e43e7e1a4a6b957ccce4a4866a9c502d9bb3271f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Beno=C3=AEt=20Viguier?= Date: Wed, 18 Jun 2025 00:50:09 +0200 Subject: [PATCH 4/4] Update docs/releases.md Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- docs/releases.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/releases.md b/docs/releases.md index 6bbd4377..b656121e 100644 --- a/docs/releases.md +++ b/docs/releases.md @@ -53,7 +53,7 @@ Or modify the value of `APP_KEY` in your `.env` file. This will also invalidate This vulnerability miss-uses the `$path` variable sent to the server, which is used to access the photos via the `SecurePathController`. We wrongly assumed that `Storage::disk(StorageDiskType::LOCAL->value)->path($path);` was protected against path traversal attacks which lead to this vulnerability. -When both the encrypted links and the temporary links are disabled, it is possible to call the endpoint with fictuous path values. Ironically, by enabling either of the functionality, the endpoint becomes secure again. +When both the encrypted links and the temporary links are disabled, it is possible to call the endpoint with fictitious path values. Ironically, by enabling either of the functionality, the endpoint becomes secure again. #### The fix