After registration, go to the avatar settings (http://localhost/ucenter/avatar), select an image, and capture the packet to submit.
If you upload an HTML file normally, it shows that uploading is not supported.
Uploading a JSP file will have its suffix changed.
When we add ::$DATA to the end of the file name and send the packet.
The normal file should be saved at /attachment/20240803/b91be30530c843f8aed2c08bb2222ddc.jsp::$DATA, but the final file is saved at /attachment/1.jsp.
The same applies to HTML files, so it is not elaborated.
Vulnerability Analysis
Located in the io.jpress.web.commons.controller.AttachmentController#upload method, line 55 calls the ControllerBase#getFile method.
Then getFile calls the getFirstFileOnly method.
The getFirstFileOnly method calls this.getFiles() to save the file at /attachment/1.jsp::$DATA, but due to the characteristics of Windows, the ::\$DATA suffix is ignored, causing the file to be saved at /attachment/1.jsp.
Finally, at line 90 of the io.jpress.web.commons.controller.AttachmentController#upload method, an error is triggered, preventing the file from being moved further, so the file is saved at /attachment/1.jsp.
Vulnerability Reproduction
Similar to the [jpress前台存在任意文件上传漏洞 · Issue #173 · JPressProjects/jpress (github.com)](https://github.com/JPressProjects/jpress/issues/173)
Deploy JPress on Windows
After installing the JPress framework, register a user.
http://localhost/user/register
After registration, go to the avatar settings (
http://localhost/ucenter/avatar
), select an image, and capture the packet to submit.If you upload an HTML file normally, it shows that uploading is not supported.
Uploading a JSP file will have its suffix changed.
When we add
::$DATA
to the end of the file name and send the packet.The normal file should be saved at
/attachment/20240803/b91be30530c843f8aed2c08bb2222ddc.jsp::$DATA
, but the final file is saved at/attachment/1.jsp
.The same applies to HTML files, so it is not elaborated.
Vulnerability Analysis
Located in the
io.jpress.web.commons.controller.AttachmentController#upload
method, line 55 calls theControllerBase#getFile
method.Then
getFile
calls thegetFirstFileOnly
method.The
getFirstFileOnly
method callsthis.getFiles()
to save the file at/attachment/1.jsp::$DATA
, but due to the characteristics of Windows, the::\$DATA
suffix is ignored, causing the file to be saved at/attachment/1.jsp
.Finally, at line 90 of the
io.jpress.web.commons.controller.AttachmentController#upload
method, an error is triggered, preventing the file from being moved further, so the file is saved at/attachment/1.jsp
.