Issue Description
During a security assessment of our customized Discourse deployment, we discovered a potential directory traversal vulnerability related to the /uploads/* endpoint.
Problem Details
-
Accessing /uploads/ allows users to fetch files from arbitrary upload directories by manipulating the URL path.
-
For example, it’s possible to traverse and access files across different upload directories that should be logically separated or protected.
-
This behavior could allow unauthorized users to access sensitive files or attachments not intended for them, which poses a security risk.
Example
Suppose user A uploads a file in their private messages (or another restricted context).
An attacker can craft a URL such as:
https:///uploads/default/original/1X/../../another_directory/secret_file.jpg
This allows the attacker to traverse up the directory tree and access files in other directories.
Security Impact
-
Unauthorized disclosure of private, internal, or otherwise restricted files
-
Possible escalation depending on file content
Questions / Feedback Sought
-
Is this expected behavior in the current upload implementation?
-
Are there any recommended configurations or patches to prevent directory traversal in /uploads/?
-
Has this issue been discussed or mitigated in upstream Discourse?
-
Do you have guidance for further securing file access in Discourse deployments?
Thank you for your attention and feedback on this potential issue.