Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Arbitrary file write for remote authenticated user. #6

@brandonshiyay

Description

@brandonshiyay

In file AttachmentController.java, uploaded attachment will not be checked for file path as well as file format, which can cause any authenticated user to exploit directory traversal and modified file extension to write files on remote system.

Vulnerable code:

				File mediaPath = new File(userPath, hold.toString());
				// 如果没有该目录则创建
				if (!mediaPath.exists()) {
					mediaPath.mkdirs();
				}
				System.out.println("路径++++++" + mediaPath);
				SimpleDateFormat format = new SimpleDateFormat("yyyyMMddHHmmss");
				// 生成文件名称
				String nameSuffix = file.getOriginalFilename().substring(0, file.getOriginalFilename().lastIndexOf("."))
						.replaceAll(" ", "_").replaceAll(",", "") + format.format(DateUtil.date())
						+ new Random().nextInt(1000);
				// 文件后缀
				String fileSuffix = file.getOriginalFilename()
						.substring(file.getOriginalFilename().lastIndexOf(".") + 1);
				// 上传文件名加后缀
				String fileName = nameSuffix + "." + fileSuffix;

				// 转存文件
				file.transferTo(new File(mediaPath.toString(), fileName));

Proof of concept:
Despite the error message, file will be uploaded successfullly.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions