jflyfox / jfinal_cms

jfinal cms是一个java开发的功能强大的信息咨询网站,采用了简洁强大的JFinal作为web框架,模板引擎用的是beetl,数据库用mysql,前端bootstrap框架。支持oauth2认证、帐号注册、密码加密、评论及回复,消息提示,网站访问量统计,文章评论数和浏览量统计,回复管理,支持权限管理。后台模块包含:栏目管理,栏目公告,栏目滚动图片,文章管理,回复管理,意见反馈,我的相册,相册管理,图片管理,专辑管理、视频管理、缓存更新,友情链接,访问统计,联系人管理,模板管理,组织机构管理,用户管理,角色管理,菜单管理,数据字典管理。
http://mtg.jflyfox.com/
Apache License 2.0
628 stars 285 forks source link

jfinal_cms 5.1.0 file path injection vulnerability #31

Open luchua-bc opened 2 years ago

luchua-bc commented 2 years ago

There is a CWE-073 - file path injection vulnerability with the upload controller.

If an admin user uploads a malicious file with injected path e.g. https:///jfinal_cms/system/upload?uploadPath=../../../, the application will either serve malicious web pages or overwrite important system files.

A sample page to trigger the upload functionality is as follows:

<html>
        <body>
        <form method="post" action="https://<jfinal_cms.site>/jfinal_cms/system/upload?uploadPath=../../../" enctype="multipart/form-data" id="myfile">
                <input type="file" name="file">
                <input type="submit" value="Upload">
        </form>
        </body>
</html> 

The following sample XHTML file with JavaScript payload was used to showcase sensitive information like cookies can be leaked:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
</head>
<body>
<script type="text/javascript">
      alert(document.cookie);
</script>
<h1>POC</h1>
</body>
</html>

The XHTML file was successfully uploaded to the webroot directory, which broke out of the intended directory /upload/jflyfox/bbs/.

upload_success

Accessing the file will leak session cookies, which confirmed the file path injection vulnerability:

Screen Shot 2022-02-05 at 9 11 35 PM

Unsanitized user provided data must not be used to construct the file path. In order to prevent File Path Injection, it is recommended to avoid concatenating user input directly into the file path. Instead, user input should be checked against allowed (e.g., must come within user_content/) or disallowed (e.g. must not come within /internal) paths, ensuring that neither path traversal using ../ nor URL encoding is used to evade these checks.

Please consider to fix the issue. Thanks.