Path Traversal in slowscript.httpfileserver

The Android application HTTP File Server (Version 1.4.1) by 'slowscript' is affected by a Path Traversal vulnerability which permits arbitrary directory listing, file read, and file write. Versions below 1.4.1 are also probably impacted but I have not validated this.

The application permits users to configure a 'root directory' which is intended to restrict the root level directory users are permitted to see within.

Application Screenshot Showing Root Directory Configuration

Browsing the application we see the GUI doesn't permit us to go up directories.

Restricted Browsing to Download Folder

Unfortunately bypassing this is as simple as it is in the textbooks.

Arbritrary Directory Listing

Exploiting Arbitrary Directory Listing
Showing Response in Browser

Arbritary File Read

Exploiting Arbitrary File Read

Arbitrary File Write

Exploiting Arbritary File Write
Validating File Write at Upper Directory
Show Comments