📄 Description (English)
goshs is a SimpleHTTPServer written in Go. From 2.0.0-beta.4 to 2.0.0-beta.5, goshs leaks file-based ACL credentials through its public collaborator feed when the server is deployed without global basic auth. Requests to .goshs-protected folders are logged before authorization is enforced, and the collaborator websocket broadcasts raw request headers, including Authorization. An unauthenticated observer can capture a victim's folder-specific basic-auth header and replay it to read, upload, overwrite, and delete files inside the protected subtree. This vulnerability is fixed in 2.0.0-beta.6.
🤖 AI Executive Summary
goshs versions 2.0.0-beta.4 and 2.0.0-beta.5 leak folder-specific basic authentication credentials through an unprotected public collaborator websocket feed. Unauthenticated attackers can capture Authorization headers from request logs and replay them to gain unauthorized access to protected file directories, enabling read, upload, overwrite, and delete operations. This critical vulnerability affects organizations using goshs as a file-sharing solution without global basic authentication enabled.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 27, 2026 19:24
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations using goshs for internal file sharing—particularly in government agencies (NCA, CITC), financial institutions, and healthcare providers—face critical risk of unauthorized file access and data exfiltration. Government entities managing sensitive documents through goshs deployments are especially vulnerable. Energy sector organizations (ARAMCO subsidiaries) and telecommunications providers (STC, Mobily) using goshs for internal collaboration could experience data breaches. The vulnerability enables credential replay attacks, allowing attackers to maintain persistent unauthorized access to protected file repositories without detection.
🏢 Affected Saudi Sectors
Government (NCA, CITC, Ministry entities)
Banking and Financial Services
Healthcare and Medical Institutions
Energy (ARAMCO, oil & gas subsidiaries)
Telecommunications (STC, Mobily, Zain)
Education (Universities, Research Institutions)
Defense and Security Agencies
🎯 MITRE ATT&CK Techniques
T1110.001 - Brute Force: Password Guessing (credential replay)
T1187 - Forced Authentication (capturing Authorization headers)
T1040 - Traffic Sniffing (monitoring websocket for credentials)
T1550.004 - Use Alternate Authentication Material: Web Session Cookie (credential replay)
T1021.001 - Remote Services: SSH (unauthorized file access)
T1020 - Automated Exfiltration (unauthorized file read/download)
T1485 - Data Destruction (unauthorized file deletion)
T1565.001 - Data Manipulation: Stored Data Manipulation (unauthorized file overwrite)
⚖️ Saudi Risk Score (AI)
8.9
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all goshs deployments in your environment running versions 2.0.0-beta.4 or 2.0.0-beta.5
2. Disable or restrict access to the collaborator websocket endpoint immediately
3. Review websocket logs for any suspicious connection patterns or credential exposure
4. Rotate all folder-specific basic authentication credentials
5. Implement network-level access controls to restrict collaborator feed access
PATCHING:
1. Upgrade to goshs 2.0.0-beta.6 or later immediately
2. Test upgraded instances in isolated environment before production deployment
3. Verify that global basic authentication is enabled post-upgrade
COMPENSATING CONTROLS (if immediate upgrade not possible):
1. Deploy reverse proxy (nginx/Apache) with authentication in front of goshs
2. Implement IP whitelisting for collaborator websocket access
3. Disable collaborator feed feature if not required
4. Monitor Authorization header patterns in access logs for anomalies
5. Implement network segmentation to isolate goshs instances
DETECTION:
1. Monitor for multiple failed authentication attempts followed by successful access
2. Alert on Authorization header values appearing in websocket traffic
3. Track file operations (read/write/delete) from unexpected source IPs
4. Review collaborator websocket connection logs for unauthorized access patterns
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. حدد جميع نشرات goshs في بيئتك التي تعمل بالإصدارات 2.0.0-beta.4 أو 2.0.0-beta.5
2. عطّل أو قيّد الوصول إلى نقطة نهاية websocket للمتعاون فوراً
3. راجع سجلات websocket للبحث عن أي أنماط اتصال مريبة أو تسرب بيانات اعتماد
4. قم بتدوير جميع بيانات اعتماد المصادقة الأساسية الخاصة بالمجلدات
5. طبّق عناصر تحكم الوصول على مستوى الشبكة لتقييد الوصول إلى خلاصة المتعاون
التصحيح:
1. قم بالترقية إلى goshs 2.0.0-beta.6 أو إصدار أحدث فوراً
2. اختبر الحالات المرقاة في بيئة معزولة قبل نشر الإنتاج
3. تحقق من تفعيل المصادقة الأساسية العامة بعد الترقية
عناصر التحكم البديلة (إذا لم يكن الترقية الفورية ممكنة):
1. نشّر خادم وكيل عكسي (nginx/Apache) مع المصادقة أمام goshs
2. طبّق القائمة البيضاء للعناوين IP لوصول websocket للمتعاون
3. عطّل ميزة خلاصة المتعاون إذا لم تكن مطلوبة
4. راقب أنماط رؤوس التفويض في سجلات الوصول للكشف عن الشذوذ
5. طبّق تقسيم الشبكة لعزل حالات goshs
الكشف:
1. راقب محاولات المصادقة الفاشلة المتعددة متبوعة بالوصول الناجح
2. أصدر تنبيهات عند ظهور قيم رؤوس التفويض في حركة websocket
3. تتبع عمليات الملفات (القراءة/الكتابة/الحذف) من عناوين IP غير متوقعة
4. راجع سجلات اتصال websocket للمتعاون للبحث عن أنماط وصول غير مصرح به
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.5.1.1 - Access Control Policy (credential exposure violates access control principles)
ECC 2024 A.6.1.2 - User Registration and De-registration (unauthorized credential replay)
ECC 2024 A.8.2.1 - User Access Management (authentication bypass through credential leakage)
ECC 2024 A.9.2.1 - User Identification and Authentication (weak authentication enforcement)
ECC 2024 A.10.1.1 - Cryptography Policy (credentials transmitted in clear text via websocket)
🔵 SAMA CSF
SAMA CSF ID.AM-1 - Asset Management (unpatched goshs instances)
SAMA CSF PR.AC-1 - Access Control (credential exposure and unauthorized access)
SAMA CSF PR.AC-3 - Access Enforcement (authentication bypass through replay attacks)
SAMA CSF DE.CM-1 - Detection and Analysis (monitoring for credential leakage)
SAMA CSF RS.MI-2 - Incident Response (credential rotation and access revocation)
🟡 ISO 27001:2022
ISO 27001:2022 A.5.3 - Segregation of Duties (inadequate access controls)
ISO 27001:2022 A.8.2 - User Access Management (credential management failures)
ISO 27001:2022 A.8.3 - User Responsibilities (authentication credential exposure)
ISO 27001:2022 A.9.2 - User Access Rights (unauthorized access through credential replay)
ISO 27001:2022 A.9.4 - Access Control to Information Systems (weak authentication enforcement)
🔗 References & Sources 2
📦 Affected Products / CPE 2 entries
goshs:goshs:2.0.0
goshs:goshs:2.0.0