search

kekingcn / kkFileView

Universal File Online Preview Project based on Spring-Boot
https://kkview.cn
10.65k stars 2.71k forks source link

Arbitrary file reading vulnerability #420

Open S2eTo opened 1 year ago

S2eTo commented 1 year ago

Vulnerability details

The unauthorized interface /onlinePreview receives base64 encode encoded parameters: url, get the view processor after parsing url, and call filePreviewHandle handle view cn.keking.web.controller.OnlinePreviewController#onlinePreview image

Parse fullfilename in the url parameter as the filename cn.keking.service.FileHandlerService#getFileAttribute image

Among them, CodeFilePreviewImpl, XmlFilePreviewImpl, MarkdownFilePreviewImpl call SimTextFilePreviewImpl for processing image

In SimTextFilePreviewImpl#filePreviewHandle, the content of the file will be read through textData and set to the global parameters, the main force is the second red box getContent cn.keking.service.impl.SimTextFilePreviewImpl#filePreviewHandle image

Method DownloadUtils#downLoad file will call getRelFilePath method cn.keking.utils.DownloadUtils#downLoad image

If the file exists, the download will be skipped directly image

The parameter of the last file name will be passed into textData to read the file content cn.keking.service.impl.SimTextFilePreviewImpl#textData image

Other file types, because they can be directly displayed on the page in the original format, so the effect is the same, and any file can be read. For example, video files will directly respond to the video on the page to play, pdf... etc. it's the same

Vulnerability recurrence

//  /onlinePreview?url=http:/1/?fullfilename=../../../../pom.xml
GET /onlinePreview?url=aHR0cDovMSEvP2Z1bGxmaWxlbmFtZT0uLi8uLi8uLi8uLi9wb20ueG1s

image

gaoxingzaq commented 1 year ago

目前暂时 getRelFilePath 该方法中 添加 // 判断是否非法地址 if (KkFileUtils.isIllegalFileName(fileName)) { return null; }

S2eTo commented 1 year ago

File parameter parsing In FileHandlerService, the parsing of file names does not implement XSS injection defense, resulting in XSS injection vulnerabilities

cn.keking.service.FileHandlerService#getFileAttribute

image

# /onlinePreview?url=http:/1!/?fullfilename=<script>alert("1")</script>.xml
/onlinePreview?url=aHR0cDovMSEvP2Z1bGxmaWxlbmFtZT08c2NyaXB0PmFsZXJ0KCIxIik8L3NjcmlwdD4ueG1s

image

gaoxingzaq commented 1 year ago

getFileAttribute fileName = KkFileUtils.htmlEscape(fileName); //文件名处理