JPressProjects / jpress

JPress,一个使用 Java 开发的建站神器,目前已经有 10w+ 网站使用 JPress 进行驱动,其中包括多个政府机构,200+上市公司,中科院、红+字会等。
http://www.jpress.cn
GNU Lesser General Public License v3.0
2.68k stars 1.18k forks source link

The latest version of JPress deployed on Windows has an arbitrary file upload vulnerability #188

Open lazy-forever opened 3 months ago

lazy-forever commented 3 months ago

Vulnerability Reproduction

Similar to the [jpress前台存在任意文件上传漏洞 · Issue #173 · JPressProjects/jpress (github.com)](https://github.com/JPressProjects/jpress/issues/173)

Deploy JPress on Windows

After installing the JPress framework, register a user.

http://localhost/user/register

1

After registration, go to the avatar settings (http://localhost/ucenter/avatar), select an image, and capture the packet to submit.

2

If you upload an HTML file normally, it shows that uploading is not supported.

3

Uploading a JSP file will have its suffix changed.

4

When we add ::$DATA to the end of the file name and send the packet.

5

The normal file should be saved at /attachment/20240803/b91be30530c843f8aed2c08bb2222ddc.jsp::$DATA, but the final file is saved at /attachment/1.jsp.

6

The same applies to HTML files, so it is not elaborated.

Vulnerability Analysis

Located in the io.jpress.web.commons.controller.AttachmentController#upload method, line 55 calls the ControllerBase#getFile method.

7

Then getFile calls the getFirstFileOnly method.

8

The getFirstFileOnly method calls this.getFiles() to save the file at /attachment/1.jsp::$DATA, but due to the characteristics of Windows, the ::\$DATA suffix is ignored, causing the file to be saved at /attachment/1.jsp.

9

Finally, at line 90 of the io.jpress.web.commons.controller.AttachmentController#upload method, an error is triggered, preventing the file from being moved further, so the file is saved at /attachment/1.jsp.

10