Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SEVEN high-risk vulnerabilities #51

Open
MysteryZ opened this issue Oct 26, 2021 · 1 comment
Open

SEVEN high-risk vulnerabilities #51

MysteryZ opened this issue Oct 26, 2021 · 1 comment

Comments

@MysteryZ
Copy link

MysteryZ commented Oct 26, 2021
edited
Loading

Hi,there are SEVEN high-risk vulnerabilities in the Administrator background。please fix it as soon as possible。
Five Arbitrary file upload vulnerabilities。
In HelpManageAction.java、MembershipCardManageAction.java、QuestionManageAction.java、TopicManageAction.java、ForumManageAction.java,there are fllowing insecure code。

if(file.getContentType().equalsIgnoreCase("application/octet-stream")){
String fileType = FileType.getType(file.getInputStream());
for (String format :formatList) {
if(format.equalsIgnoreCase(fileType)){
authentication = true;
break;
}
}
}
And the getType funciton code is bellow。
public static String getType(InputStream inputStream) throws IOException {
String fileHead = getFileContent(inputStream);
if (fileHead == null || fileHead.length() == 0) {
return null;
}

    fileHead = fileHead.toUpperCase();   

    for (Map.Entry<String,String> entry : type.entrySet()) {
    	if(fileHead.startsWith(entry.getKey())){
    		return entry.getValue();
    	}
    }
    return null;   
}

if Content-Type is “application/octet-stream” ,the program will go to getType function,and the function does not strictly check file suffixes。
proof of content。
Login to the administrator first,then chose the topic list and upload a file。with burpsuite ,you can change the Content-Type parameter to application/octet-stream,and change the filename to 1.jsp。
image
you can find the webshell upload successfully。
image

The other is Zip Slip Vulnerability.
The problem lies in the system upgrade function.
image
The vulnerability is exploited using a specially crafted archive that holds directory traversal filenames (e.g. ../../evil.sh).
UpgradeNow funciton in UpgradeManageAction.java unzip the uploaded zip file without check filenames .

ZipUtil.unZip(updatePackage_path, temp_path);

The hacker can exploit the website like this.

image

image

The third vulnerability  is code injection.
Background management template.

image
you can edit the html file. so we can insert evil code as the html will be processed by freemarker engine.
image
when you access the website, the injected evil code will execute.
image
@MysteryZ MysteryZ changed the title Three high-risk vulnerabilities SEVEN high-risk vulnerabilities Oct 27, 2021
@diyhi
Copy link
Owner

diyhi commented Oct 28, 2021

上述问题已在5.4版本修复

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@MysteryZ @diyhi