PT-2026-36710 · Go · Github.Com/Patrickhener/Goshs+1

Published

2026-04-23

·

Updated

2026-04-23

CVSS v3.1

6.5

Medium

VectorAV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Summary

The PUT upload handler (httpserver/updown.go) lacks the CSRF token validation that was added to the POST upload handler during the GHSA-jrq5-hg6x-j6g3 fix. Combined with the unconditional Access-Control-Allow-Origin: * on the OPTIONS preflight handler (httpserver/server.go), any website can write arbitrary files to a goshs instance through the victim's browser — bypassing network isolation (e.g. localhost, internal network).

Details

Root Cause 1 — Missing CSRF on PUT (httpserver/updown.go:19)
When GHSA-jrq5-hg6x-j6g3 was fixed (commit e3c3d37), checkCSRF() was added to the POST upload() function (line 78) but not to the PUT put() function directly above it in the same file. This means PUT requests are accepted without any CSRF token.
go
// POST — protected 
func (fs *FileServer) upload(w http.ResponseWriter, req *http.Request) {
  if !fs.checkCSRF(w, req) { return }
  // ...
}

// PUT — unprotected 
func (fs *FileServer) put(w http.ResponseWriter, req *http.Request) {
  // No checkCSRF call
  // ...
}
Root Cause 2 — Wildcard CORS (httpserver/server.go:126)
The OPTIONS handler unconditionally returns permissive CORS headers:
go
w.Header().Set("Access-Control-Allow-Origin", "*")
w.Header().Set("Access-Control-Allow-Methods", "POST, PUT, OPTIONS")
w.Header().Set("Access-Control-Allow-Headers", "Content-Type, Authorization")
This allows any website's JavaScript to pass the browser's CORS preflight check and send PUT requests to the goshs server.

PoC

poc.zip
Please extract the uploaded compressed file before proceeding
  1. bash poc.sh 스크린샷 2026-04-17 오후 11 08 13

Impact

  • Arbitrary file write to the goshs webroot from any website the victim visits
  • File overwrite — existing files can be silently replaced

Fix

CSRF

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-352

Related Identifiers

GHSA-RHF7-WVW3-VJVM

Affected Products

Github.Com/Patrickhener/Goshs
Github.Com/Patrickhener/Goshs/V2