Open S2eTo opened 1 year ago
目前暂时 getRelFilePath 该方法中 添加 // 判断是否非法地址 if (KkFileUtils.isIllegalFileName(fileName)) { return null; }
File parameter parsing In FileHandlerService, the parsing of file names does not implement XSS injection defense, resulting in XSS injection vulnerabilities
cn.keking.service.FileHandlerService#getFileAttribute
# /onlinePreview?url=http:/1!/?fullfilename=<script>alert("1")</script>.xml
/onlinePreview?url=aHR0cDovMSEvP2Z1bGxmaWxlbmFtZT08c2NyaXB0PmFsZXJ0KCIxIik8L3NjcmlwdD4ueG1s
getFileAttribute fileName = KkFileUtils.htmlEscape(fileName); //文件名处理
Vulnerability details
The unauthorized interface /onlinePreview receives base64 encode encoded parameters: url, get the view processor after parsing url, and call filePreviewHandle handle view cn.keking.web.controller.OnlinePreviewController#onlinePreview
Parse fullfilename in the url parameter as the filename cn.keking.service.FileHandlerService#getFileAttribute
Among them, CodeFilePreviewImpl, XmlFilePreviewImpl, MarkdownFilePreviewImpl call SimTextFilePreviewImpl for processing
In SimTextFilePreviewImpl#filePreviewHandle, the content of the file will be read through textData and set to the global parameters, the main force is the second red box getContent cn.keking.service.impl.SimTextFilePreviewImpl#filePreviewHandle
Method DownloadUtils#downLoad file will call getRelFilePath method cn.keking.utils.DownloadUtils#downLoad
If the file exists, the download will be skipped directly
The parameter of the last file name will be passed into textData to read the file content cn.keking.service.impl.SimTextFilePreviewImpl#textData
Other file types, because they can be directly displayed on the page in the original format, so the effect is the same, and any file can be read. For example, video files will directly respond to the video on the page to play, pdf... etc. it's the same
Vulnerability recurrence