Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

File Upload #17796

Closed
Pd1r opened this issue Jan 8, 2020 · 6 comments
Closed

File Upload #17796

Pd1r opened this issue Jan 8, 2020 · 6 comments
Labels
Merged OKR : Security & Privacy Owned by Mehdi QA : Approved QA : Passed Internal Release : 5.2.4 Type : Defect

Comments

@Pd1r
Copy link

Pd1r commented Jan 8, 2020

Describe the bug

Upload jsp files to control the target server

Steps to reproduce the behavior:

  1. uri.startsWith () determines whether uri starts with / asset

image

  1. Can bypass restricted access to files under assets, like
    /asdasd/../asset

image

image

  1. Upload malicious JSP file here

image

  1. Get file id
    image

  2. Execute arbitrary server commands
    image

  3. Can upload even without authorization
    image

dir like this
image
@wezell
Copy link
Contributor

wezell commented Jan 8, 2020
edited
Loading

@Pd1r Questions on this:

  1. What app server is this running? Tomcat or something else? Is it behind any proxy or using any special connectors?
  2. What OS is the server running? Is it containerized? If so, what is the base os. If Linux, what distro?

I am trying to reproduce this and I cannot:

curl -XPOST http://localhost:8080/234aa/../assets/messages/cms_language_en.properties

gives me a 403

When I step through and debug the code, the uri variable at this line
https://github.com/dotCMS/core/blob/master/dotCMS/src/main/java/com/dotmarketing/filters/CMSFilter.java#L87
has been made absolute, stripped of any relative pathing, e.g.

Screen Shot 2020-01-08 at 5 34 28 PM

@wezell wezell added the OKR : Security & Privacy Owned by Mehdi label Jan 8, 2020
@Pd1r
Copy link
Author

Pd1r commented Jan 9, 2020

server : tomcat 8.5.32
os : 10.14.6
Tool : Can't use curl, need Burpsuite
Unreachable when I use localhost, It is possible to use the IP assigned by the router .

I downloaded from here
image
image

image

@wezell wezell added this to the Bug Sprint milestone Jan 9, 2020
@wezell
Copy link
Contributor

wezell commented Jan 9, 2020

@Pd1r thank you for the report and details, I can confirm this. We are working on a fix.

@jgambarios jgambarios mentioned this issue Jan 10, 2020
Merged
jgambarios added a commit that referenced this issue Jan 10, 2020
@jgambarios
Applied feedback #17796
1011011
jgambarios added a commit that referenced this issue Jan 10, 2020
@jgambarios
Created new Filter to intercept and normalizate URIs (#17809)
c498997 
* Created new Filter to intercept and normalizate URIs

* Applied feedback #17796
@jgambarios
Copy link
Contributor

PR: #17809

jgambarios added a commit that referenced this issue Jan 13, 2020
@jgambarios
Created new Filter to intercept and normalizate URIs (#17809)
dba048d 
* Created new Filter to intercept and normalizate URIs

* Applied feedback #17796

(cherry picked from commit c498997)
@jgambarios jgambarios mentioned this issue Jan 14, 2020
Closed
@bryanboza
Copy link
Member

Fixed, tested on release-5.2.4 // Postgres // FF

@wezell wezell closed this as completed Jan 24, 2020
@wezell wezell removed this from the Bug Sprint milestone Feb 4, 2020
@cfi-gb
Copy link

cfi-gb commented Feb 7, 2020

I am trying to reproduce this and I cannot:

curl -XPOST http://localhost:8080/234aa/../assets/messages/cms_language_en.properties

Note that you need to pass the --path-as-is parameter for directory traversals in such curk calls:

--path-as-is Do not squash .. sequences in URL path

@dotCMS dotCMS locked as resolved and limited conversation to collaborators Feb 7, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Merged OKR : Security & Privacy Owned by Mehdi QA : Approved QA : Passed Internal Release : 5.2.4 Type : Defect
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@jgambarios @wezell @bryanboza @Pd1r @cfi-gb @fabrizzio-dotCMS