GMS-2021-81: Listing of upload directory contents possible

May 27, 2021

There’s an security issue in prosody-filer versions < 1.0.1 which leads to unwanted directory listings of download directories.

An attacker is able to list previous uploads of a certain user by shortening the URL and accessing a URL subdirectors other than /upload/ (or the corresponding user defined root dir)

Version 1.0.1 and later fix this problem and allow only direct file access if the full path is known. Directory listings are blocked entirely.

References

github.com/ThomasLeister/prosody-filer/security/advisories/GHSA-qmfx-75ff-8mw6
github.com/advisories/GHSA-qmfx-75ff-8mw6

Detect and mitigate GMS-2021-81 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →