Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Arbitrary file write for remote authenticated user. #6

Open
brandonshiyay opened this issue May 21, 2021 · 0 comments
Open

Arbitrary file write for remote authenticated user. #6

brandonshiyay opened this issue May 21, 2021 · 0 comments

Comments

@brandonshiyay
Copy link

In file AttachmentController.java, uploaded attachment will not be checked for file path as well as file format, which can cause any authenticated user to exploit directory traversal and modified file extension to write files on remote system.

Vulnerable code:

				File mediaPath = new File(userPath, hold.toString());
				// 如果没有该目录则创建
				if (!mediaPath.exists()) {
					mediaPath.mkdirs();
				}
				System.out.println("路径++++++" + mediaPath);
				SimpleDateFormat format = new SimpleDateFormat("yyyyMMddHHmmss");
				// 生成文件名称
				String nameSuffix = file.getOriginalFilename().substring(0, file.getOriginalFilename().lastIndexOf("."))
						.replaceAll(" ", "_").replaceAll(",", "") + format.format(DateUtil.date())
						+ new Random().nextInt(1000);
				// 文件后缀
				String fileSuffix = file.getOriginalFilename()
						.substring(file.getOriginalFilename().lastIndexOf(".") + 1);
				// 上传文件名加后缀
				String fileName = nameSuffix + "." + fileSuffix;

				// 转存文件
				file.transferTo(new File(mediaPath.toString(), fileName));

Proof of concept:
Despite the error message, file will be uploaded successfullly.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@brandonshiyay