Skip to content

SEVEN high-risk vulnerabilities #51

Open
@MysteryZ

Description

@MysteryZ

Hi,there are SEVEN high-risk vulnerabilities in the Administrator background。please fix it as soon as possible。
Five Arbitrary file upload vulnerabilities。
In HelpManageAction.java、MembershipCardManageAction.java、QuestionManageAction.java、TopicManageAction.java、ForumManageAction.java,there are fllowing insecure code。

if(file.getContentType().equalsIgnoreCase("application/octet-stream")){
String fileType = FileType.getType(file.getInputStream());
for (String format :formatList) {
if(format.equalsIgnoreCase(fileType)){
authentication = true;
break;
}
}
}
And the getType funciton code is bellow。
public static String getType(InputStream inputStream) throws IOException {
String fileHead = getFileContent(inputStream);
if (fileHead == null || fileHead.length() == 0) {
return null;
}

    fileHead = fileHead.toUpperCase();   

    for (Map.Entry<String,String> entry : type.entrySet()) {
    	if(fileHead.startsWith(entry.getKey())){
    		return entry.getValue();
    	}
    }
    return null;   
} 

if Content-Type is “application/octet-stream” ,the program will go to getType function,and the function does not strictly check file suffixes。
proof of content。
Login to the administrator first,then chose the topic list and upload a file。with burpsuite ,you can change the Content-Type parameter to application/octet-stream,and change the filename to 1.jsp。
image
you can find the webshell upload successfully。
image

The other is Zip Slip Vulnerability.
The problem lies in the system upgrade function.
image
The vulnerability is exploited using a specially crafted archive that holds directory traversal filenames (e.g. ../../evil.sh).
UpgradeNow funciton in UpgradeManageAction.java unzip the uploaded zip file without check filenames .

ZipUtil.unZip(updatePackage_path, temp_path);

The hacker can exploit the website like this.

image

image

The third vulnerability  is code injection.
Background management template.

image
you can edit the html file. so we can insert evil code as the html will be processed by freemarker engine.
image
when you access the website, the injected evil code will execute.
image

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions