Skip to content

Security: Unauthenticated file download/upload and guard confusion (2 CRITICAL, 2 HIGH) #429

Description

@lighthousekeeper1212

Summary

Security audit of LavaLite CMS identified 5 vulnerabilities in the Filer module and auth guard configuration.

Findings

1. CRITICAL: Unauthenticated File Download and Display

File: Litepie/Filer/routes/web.php:8-9, Litepie/Filer/Http/Controllers/FileController.php:19-32

Routes GET /filer/download/{disk}/{path?} and GET /filer/display/{disk}/{path?} have zero authentication. The FileController extends Controller (no auth), NOT ResourceController (which has auth). The {disk} parameter is user-controlled and maps to configured disks including local (which points to storage/app/).

Attack: GET /filer/download/local/uploads/{any_private_file_path} — no authentication.

Comparison: File UPLOAD via web routes goes through {guard} prefix, meaning ResourceController's auth middleware protects uploads. Download/display routes are NOT behind any guard.

2. CRITICAL: Unauthenticated File Upload via API

File: Litepie/Filer/routes/api.php:3-6, Litepie/Filer/Providers/RouteServiceProvider.php:35-40

POST /api/{guard}/upload/{config}/{path?} is under the api middleware group which only includes ThrottleRequests and SubstituteBindings — no auth middleware. Any unauthenticated user can upload files.

3. HIGH: Admin/User Guard Confusion — Shared Provider

File: config/auth.php:40-63

Both admin and user guards share the same users provider (same table, same model). The set.guard middleware sets the active guard from URL prefix. This allows user-authenticated sessions to access admin routes via URL manipulation.

4. HIGH: Setting Store Only Checks View Permission

File: Litepie/Setting/Http/Requests/SettingResourceRequest.php

The authorize() method only checks view permission on the Setting model regardless of HTTP method. POST (store) operations only require view permission, not create or update.

5. MEDIUM: Default Super Admin Credentials

Default admin credentials admin@lavalite.org / admin@lavalite are documented and seeded.

Impact

Unauthenticated file upload and download. Privilege escalation from user to admin via guard confusion.

Recommended Fix

  • Add auth middleware to Filer routes
  • Separate admin and user auth providers
  • Add proper permission checks for setting store

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions