-
Notifications
You must be signed in to change notification settings - Fork 64
Open
Description
In file AttachmentController.java
, uploaded attachment will not be checked for file path as well as file format, which can cause any authenticated user to exploit directory traversal and modified file extension to write files on remote system.
Vulnerable code:
File mediaPath = new File(userPath, hold.toString());
// 如果没有该目录则创建
if (!mediaPath.exists()) {
mediaPath.mkdirs();
}
System.out.println("路径++++++" + mediaPath);
SimpleDateFormat format = new SimpleDateFormat("yyyyMMddHHmmss");
// 生成文件名称
String nameSuffix = file.getOriginalFilename().substring(0, file.getOriginalFilename().lastIndexOf("."))
.replaceAll(" ", "_").replaceAll(",", "") + format.format(DateUtil.date())
+ new Random().nextInt(1000);
// 文件后缀
String fileSuffix = file.getOriginalFilename()
.substring(file.getOriginalFilename().lastIndexOf(".") + 1);
// 上传文件名加后缀
String fileName = nameSuffix + "." + fileSuffix;
// 转存文件
file.transferTo(new File(mediaPath.toString(), fileName));
Proof of concept:
Despite the error message, file will be uploaded successfullly.
Metadata
Metadata
Assignees
Labels
No labels