search

jflyfox / jfinal_cms

jfinal cms是一个java开发的功能强大的信息咨询网站,采用了简洁强大的JFinal作为web框架,模板引擎用的是beetl,数据库用mysql,前端bootstrap框架。支持oauth2认证、帐号注册、密码加密、评论及回复,消息提示,网站访问量统计,文章评论数和浏览量统计,回复管理,支持权限管理。后台模块包含:栏目管理,栏目公告,栏目滚动图片,文章管理,回复管理,意见反馈,我的相册,相册管理,图片管理,专辑管理、视频管理、缓存更新,友情链接,访问统计,联系人管理,模板管理,组织机构管理,用户管理,角色管理,菜单管理,数据字典管理。
http://mtg.jflyfox.com/
Apache License 2.0
626 stars 286 forks source link

[SECURITY] Denial of service because of unsafe regex processing #23

Closed ghost closed 3 years ago

ghost commented 3 years ago

I have tried to contact you by zcool321@sina.com and created https://github.com/jflyfox/jfinal_cms/issues/22 asking for the contact. Nobody replied.

The JFinal_cms is vulnerable to regex injection that may lead to Denial of Service.

User controlled path and contextPath are used to build and run a regex expression (first argument to replaceFirst): https://github.com/jflyfox/jfinal_cms/blob/1a9653264be5a2fcf3641ae2aa5f14fc188fd192/src/main/java/com/jflyfox/modules/filemanager/FileManager.java#L929-L949

Since the attacker controls the string and the regex pattern he may cause a ReDoS by regex catastrophic backtracking on the server side.

zcool321 commented 3 years ago

Thank u for feedback . for easy, There is a problem.

ghost commented 3 years ago

Hi, is there any update on this?

ghost commented 2 years ago

Mitre assigned CVE-2021-37262 ID for the issue.