You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
这是英文的漏洞报告,中文的在(This is the English report, the Chinese report is in): 任意文件上传漏洞
Description
@PostMapping /reportDashboard/import/{reportCode} In the interface of importing the big screen, it accepts file uploads, does not limit the file suffix, and does not detect, filter and sterilize the file name, resulting in Arbitrary file upload vulnerability
Vulnerability details
This API receives file uploads and hands them over to reportDashboardService.importDashboard() for processing
Follow up FileUtil.decompress(file, path); Here calls MultipartFile.transferTo() to write the file, after the file is written successfully, decompress the file, ***After the decompression is successful, *** delete the file
Here, the file deletion is wrongly placed at the end of the exception processing, resulting in calling decompress() to decompress the file, and the program throws an error when a non-compressed file is passed in java.util.zip.ZipException: error file.delete() is skipped after opening zip file so that the file is not deleted.
You can see through debug that StandardMultipartFile is used here
The file name is not processed in StandardMultipartFile, resulting in arbitrary directory traversal
这是英文的漏洞报告,中文的在(This is the English report, the Chinese report is in): 任意文件上传漏洞
Description
@PostMapping /reportDashboard/import/{reportCode} In the interface of importing the big screen, it accepts file uploads, does not limit the file suffix, and does not detect, filter and sterilize the file name, resulting in Arbitrary file upload vulnerability
Vulnerability details
This API receives file uploads and hands them over to reportDashboardService.importDashboard() for processing
com.anjiplus.template.gaea.business.modules.dashboard.controller.ReportDashboardController#importDashboard
Follow up reportDashboardService.importDashboard(), in this method call FileUtil.decompress(file, path); to decompress the file
com.anjiplus.template.gaea.business.modules.dashboard.service.impl.ReportDashboardServiceImpl#importDashboard
Follow up FileUtil.decompress(file, path); Here calls MultipartFile.transferTo() to write the file, after the file is written successfully, decompress the file, ***After the decompression is successful, *** delete the file
Here, the file deletion is wrongly placed at the end of the exception processing, resulting in calling decompress() to decompress the file, and the program throws an error when a non-compressed file is passed in java.util.zip.ZipException: error file.delete() is skipped after opening zip file so that the file is not deleted.
You can see through debug that StandardMultipartFile is used here
The file name is not processed in StandardMultipartFile, resulting in arbitrary directory traversal
Vulnerability to reproduce
payload
file upload successfully
The text was updated successfully, but these errors were encountered: