goshs contains an SFTP authentication bypass when the documented empty-username basic-auth syntax is used. If the server is started with -b ':pass' together with -sftp, goshs accepts that configuration but does not install any SFTP password handler. As a result, an unauthenticated network attacker can connect to the SFTP service and access files without a password. I reproduced this on the latest release v2.0.0-beta.5.
The help text explicitly documents empty usernames as valid authentication input:
options/options.go:264-266 says Use basic authentication (user:pass - user can be empty)The SFTP sanity check only requires that either -b or --sftp-keyfile is present:
if opts.SFTP && (opts.BasicAuth == "" && opts.SFTPKeyFile == "") {
logger.Fatal("When using SFTP you need to either specify an authorized keyfile using -sfk or username and password using -b")
}
That parsing logic then splits -b ':pass' into an empty username and a non-empty password:
auth := strings.SplitN(opts.BasicAuth, ":", 2)
opts.Username = auth[0]
opts.Password = auth[1]
But the SFTP server only installs a password handler if both the username and password are non-empty:
if s.Username != "" && s.Password != "" {
sshServer.PasswordHandler = func(ctx ssh.Context, password string) bool {
return ctx.User() == s.Username && password == s.Password
}
}
With -b ':pass', that condition is false, so no password authentication is enforced for SFTP sessions.
Relevant source locations:
options/options.go:264-266sanity/checks.go:82-85sanity/checks.go:102-109sftpserver/sftpserver.go:82-85I manually verified the issue on v2.0.0-beta.5. The server was started with the documented empty-user auth syntax -b ':pass', but an SFTP client still downloaded a file without supplying any key or password.
Manual verification commands used:
Terminal 1
cd...
2.0.0Exploitability
AV:NAC:LPR:NUI:NScope
S:UImpact
C:HI:HA:H9.8/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H