GHSA-mm6c-5j6x-hq8m: Algernon vulnerable to server-side script source disclosure on Windows via NTFS filename
Summary
Algernon selects its file handler from filepath.Ext() (engine/handlers.go:134), which does not treat the NTFS-equivalent names x.lua::$DATA, x.lua., or x.lua as .lua. On Windows, an unauthenticated client appends one of these suffixes to any server-side script on a public path and receives its raw source instead of executed output, leaking embedded secrets such as database credentials and the SetCookieSecret value.
Linux and macOS hosts are unaffected.
Preconditions
- Algernon runs on a Windows host (NTFS filesystem).
- The instance serves at least one server-side script (.lua, .tl, .po2, .amber, .frm).
- The script sits on a public path, or no auth backend is configured (--nodb, --simple, or default no-DB).
- HTTP/HTTPS reachability to the server.
Details
// engine/handlers.go:133
lowercaseFilename := strings.ToLower(filename)
ext := filepath.Ext(lowercaseFilename) // "index.lua::$data" -> ".lua::$data", not ".lua" [offending]
...
if ac.dispatchRenderer(w, req, filename, ext) { // ext unrecognised, returns false
return
}
switch ext {
case ".lua", ".tl": // execute the script -- never reached for the equivalent forms
// ... RunLua ...
default:
// control reaches the raw-file branch below
}
// engine/handlers.go:452
f, err := os.Open(filename) // NTFS resolves "index.lua::$DATA" to index.lua's data stream
...
// engine/handlers.go:479
if dataBlock, err := ac.ReadAndLogErrors(w, filename, ext); err == nil {
dataBlock.ToClient(w, req, filename, ac.ClientCanGzip(req), gzipThreshold) // raw source to client
}
The request path reaches FilePage through URL2filename (utils/files.go:24), which rejects only ..; a :, a trailing ., and a trailing space all pass through into filename. filepath.Ext does an exact suffix match, so .lua::$data, ., and .lua are not equal to .lua or .tl. The renderer registry and the execute case are both skipped and control falls to th
Details
Original advisory: https://github.com/advisories/GHSA-mm6c-5j6x-hq8m
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-52792 | coverage & exploitation status | NVD · CVE.org |
More from GitHub Security Advisories
- criticalGHSA-g936-7jqj-mwv8: TSDProxy: Internal proxy auth token forwarded to backend services enables management API …2026-07-10
- highGHSA-fpg8-7664-jc5q: melange: Incomplete package integrity verification allows data section substitution2026-07-10
- mediumGHSA-48rx-c7pg-q66r: Excon does not redact additional sensitive/risky headers when following redirects2026-07-10
- highGHSA-h4g2-xfmw-q2c9: Clauster: Non-loopback deployments can serve the dashboard unauthenticated when auth.enab…2026-07-10
- mediumGHSA-rqq5-2gf9-4w4q: Secure Headers: CSP directive injection via sandbox, plugin_types, and report_to when giv…2026-07-10