Description
Algernon is a small self-contained pure-Go web server. Prior to 1.17.8, when algernon is started with --domain (or --letsencrypt, which silently turns on --domain at engine/flags.go:372), the request handler resolves the served directory by joining the configured --dir with the value of the client-supplied Host header. The join is performed by filepath.Join with no validation, so a Host: .. header walks one level above the document root. Subsequent file resolution then exposes everything in that parent directory — arbitrary file read, full directory listing, and, if any .lua file is present, server-side Lua execution. This vulnerability is fixed in 1.17.8.
Problem types
CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-23: Relative Path Traversal
CWE-644: Improper Neutralization of HTTP Headers for Scripting Syntax
Product status
References
github.com/...gernon/security/advisories/GHSA-jc3j-x6pg-4hmv
github.com/...gernon/security/advisories/GHSA-jc3j-x6pg-4hmv