jflyfox / jfinal_cms

jfinal cms是一个java开发的功能强大的信息咨询网站,采用了简洁强大的JFinal作为web框架,模板引擎用的是beetl,数据库用mysql,前端bootstrap框架。支持oauth2认证、帐号注册、密码加密、评论及回复,消息提示,网站访问量统计,文章评论数和浏览量统计,回复管理,支持权限管理。后台模块包含:栏目管理,栏目公告,栏目滚动图片,文章管理,回复管理,意见反馈,我的相册,相册管理,图片管理,专辑管理、视频管理、缓存更新,友情链接,访问统计,联系人管理,模板管理,组织机构管理,用户管理,角色管理,菜单管理,数据字典管理。
http://mtg.jflyfox.com/
Apache License 2.0
628 stars 285 forks source link

CSRF to remote code execution #10

Closed ztz472947849 closed 5 years ago

ztz472947849 commented 5 years ago

The whole site is vulnerable to CSRF attack, as well as a critical administrative IO operation is by design merely submitted by a GET.

Create post with webshell ends in an image suffix. (eg. PNG) Then get image's url using browser. (eg. http://asite.com/jfinal_cms/jflyfox/bbs/ueditor/image/20190404/20190404_203723_454016.png)

image

Place link below where an online admin user could possibly see and/or click.

http://asite.com/jfinal_cms/admin/filemanager?mode=rename&old=/jfinal_cms/jflyfox/bbs/ueditor/image/20190404/20190404_203723_454016.png&new=test.jsp&config=filemanager.config.js&a=fake_image.png

(path will be pre-pend base_dir, deploy directory difference won't interfere the exploit) Hackers can embed this into a src attribute making it a non-interactive exploit. image

File would be renamed to test.jsp in a static resource folder that is accessible to everyone after valid admin viewing this page. .jsp syntax is supported by default. image

zcool321 commented 5 years ago

你是对这个项目进行了代码扫描么

ztz472947849 commented 5 years ago

你是对这个项目进行了代码扫描么

是手工看的,提得不一定全。能确认一下漏洞么。

zcool321 commented 5 years ago

感谢提交的这些安全问题,下一版均修改,提交版本v5.0.0