search

zyx0814 / dzzoffice

dzzoffice
GNU Affero General Public License v3.0
3.87k stars 808 forks source link

Multiple path manipulation vulnerability #217

Open enferas opened 2 years ago

enferas commented 2 years ago

Hello,

I would like to report for possible path manipulation vulnerabilities.

The path of the vulnerability.

In file https://github.com/zyx0814/dzzoffice/blob/master/dzz/io/setStream.php

if(!$path=dzzdecode(rawurldecode($_GET['path']))){
    exit('Access Denied');
}
//...
if(!$msg && ($re=IO::setFileContent($path,$content,true))){
    //...
}

In file https://github.com/zyx0814/dzzoffice/blob/master/core/class/io/io_ALIOSS.php

public function setFileContent($path,$data){
    //..
              self::deleteThumb($path);
    //..
}

In file https://github.com/zyx0814/dzzoffice/blob/master/core/class/io/io_ALIOSS.php

public function deleteThumb($path){
        global $_G;
        $imgcachePath='./imgcache/';
                // Note path carry the value from the source
        $cachepath=str_replace('//','/',str_replace(':','/',$path));

        foreach($_G['setting']['thumbsize'] as $value){
            $target = $imgcachePath . ($cachepath) . '.' . $value['width'] . '_' . $value['height'] . '_1.jpeg';
            $target1 = $imgcachePath . ($cachepath) . '.' . $value['width'] . '_' . $value['height'] . '_2.jpeg';
            @unlink($_G['setting']['attachdir'].$target);
            @unlink($_G['setting']['attachdir'].$target1);
        }

    }

We see that there is no check between the input $_GET['path'] and the unlink for the $target. $target can carry the value ../ which go back in the image directory.