Summary

The PUT upload handler (httpserver/updown.go) lacks the CSRF token validation that was added to the POST upload handler during the GHSA-jrq5-hg6x-j6g3 fix. Combined with the unconditional Access-Control-Allow-Origin: * on the OPTIONS preflight handler (httpserver/server.go), any website can write arbitrary files to a goshs instance through the victim's browser — bypassing network isolation (e.g. localhost, internal network).

Details

Root Cause 1 — Missing CSRF on PUT (httpserver/updown.go:19)

When GHSA-jrq5-hg6x-j6g3 was fixed (commit e3c3d37), checkCSRF() was added to the POST upload() function (line 78) but not to the PUT put() function directly above it in the same file. This means PUT requests are accepted without any CSRF token.

// POST — protected 
func (fs *FileServer) upload(w http.ResponseWriter, req *http.Request) {
    if !fs.checkCSRF(w, req) { return }
    // ...
}

// PUT — unprotected 
func (fs *FileServer) put(w http.ResponseWriter, req *http.Request) {
    // No checkCSRF call
    // ...
}

Root Cause 2 — Wildcard CORS (httpserver/server.go:126)

The OPTIONS handler unconditionally returns permissive CORS headers:

w.Header().Set("Access-Control-Allow-Origin", "*")
w.Header().Set("Access-Control-Allow-Methods", "POST, PUT, OPTIONS")
w.Header().Set("Access-Control-Allow-Headers", "Content-Type, Authorization")

This allows any website's JavaScript to pass the browser's CORS preflight check and send PUT requests to the goshs server.

PoC

poc.zip

Please extract the uploaded compressed file before proceeding

1. bash poc.sh

Impact

• Arbitrary file write to the goshs webroot from any website the victim visits
• File overwrite — existing files can be silently replaced

References

• GHSA-rhf7-wvw3-vjvm