Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Vulnerability: read and write to any file #355

Closed
0x2E opened this issue May 15, 2019 · 8 comments

Comments

@0x2E
Copy link

commented May 15, 2019

描述问题

Sensitive system files can be read through code or soft links.

重现步骤

Method 1:by code

  1. Writing code in the editor to read any file, such as /etc/passwd
  2. Click the green button at the top to compile and run about three times (I don't know why three)
  3. /etc/passwd will be read out

Method 2:by git or compressed file

  1. Create a soft link to a sensitive file, such as /etc/passwd, on a Linux
ln -s /etc/passwd ./passwdLink
  1. compress the soft link
zip -y test.zip passwdLink
  1. upload zip and unzip it. when you open a link file, the local file that you point to is opened
  2. change and save the file if the user running wide has permission

期待的结果

Sensitive system files should not be read.

截屏或录像

1

1

@88250

This comment has been minimized.

Copy link
Member

commented May 16, 2019

Thank you, we will fix it, duplicated with #296

@88250 88250 closed this May 16, 2019

@88250

This comment has been minimized.

Copy link
Member

commented May 16, 2019

wide.b3log.org 已经部署最新代码,如果方便请帮忙检查一下是否还有问题,谢谢!

@0x2E

This comment has been minimized.

Copy link
Author

commented May 16, 2019

@88250 你好,上文提到的 Method 2 仍然可用,编辑器在打开文件时并没有判断是否为符号链接。说 duplicated 有点冤枉我了 😂

hash

@88250 88250 reopened this May 16, 2019

@88250

This comment has been minimized.

Copy link
Member

commented May 16, 2019

不好意思,我重新打开这个问题了。

上传这个问题感觉比较严重,后续我将该功能完整去掉吧,感谢反馈。

@88250 88250 self-assigned this May 16, 2019

@88250 88250 added the bug label May 16, 2019

@88250 88250 added this to the 1.6.0 milestone May 16, 2019

@0x2E

This comment has been minimized.

Copy link
Author

commented May 16, 2019

除了上传压缩包,导入 Git 仓库也可以引入链接文件,建议导入 Git 的地方也控制一下。

@88250

This comment has been minimized.

Copy link
Member

commented May 16, 2019

收到,git 功能也打算移除了,谢谢指教。

88250 added a commit that referenced this issue May 16, 2019

@88250

This comment has been minimized.

Copy link
Member

commented May 16, 2019

  • 上传、git 功能都已经移除(UI 稍后移除)
  • 运行用户程序通过 docker 进行隔离并加入了执行超时控制
  • 之前的符号链接文件已经删除了

如果有空还请再帮忙看看是否还有其他漏洞,万分感谢 ❤️

@0x2E

This comment has been minimized.

Copy link
Author

commented May 16, 2019

好的,以后如果发现新问题的话我会及时反馈 😄

@0x2E 0x2E closed this May 16, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
2 participants
You can’t perform that action at this time.