New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
A URL redirection vulnerability exists in the/file/img/* * interface of the REBUILD system #596
Comments
|
感谢反馈,我们将尽快修复! |
getrebuild
added a commit
that referenced
this issue
Mar 21, 2023
* fix: `trigger/exec-manual` async * fix: lang * fix: #596
|
We are fixed, Thanks for report. |
getrebuild
added a commit
that referenced
this issue
May 5, 2023
* Enh charts (#575) * NN * feat: LINE/BAR 2dim and dateContinuous --------- Co-authored-by: RB <getrebuild@sina.com> * Copy role (#576) * feat: showAllUsers * feat: role copy * bg-guide --------- Co-authored-by: RB <getrebuild@sina.com> * base support (#579) * Excel pdf (#581) * Bump lib * excel to pdf * PdfConverter --------- Co-authored-by: devezhao <zhaofang123@gmail.com> * Files access (#582) * code style * se:conf * feat: folder rights --------- Co-authored-by: devezhao <zhaofang123@gmail.com> * Showfields spec (#584) * field CLASSIFICATION dv * feat: SYS for DataList * 视图>详情 * Trigger async (#585) * 同步发送 * Update @rbv --------- Co-authored-by: RB <getrebuild@sina.com> * N2n aggregation (#587) * 列表视图 * bump * better delete * Update @rbv * star userid * fieldVarsN2NPath * USER_OWNS No warn --------- Co-authored-by: devezhao <zhaofang123@gmail.com> * Single field after reload (#589) * v3.3 compact * singleField reload * .col-right-compact --------- Co-authored-by: RB <getrebuild@sina.com> * List styles (#590) * quick-filter-pane v3 * dock page * better * H5 sync (#593) * Update submail.html * better files * Update @rbv * H5 sync2 (#595) * style: 目录样式gh * style: J_new * feat: advListFilterTabs * feat: nav-copyto * enh: 助记码全拼 * enh: 地图搜索选点 * enh: topnav * list pn * .form-line.v33 * open TAG * KVS addShutdownHook * fix: #594 --------- Co-authored-by: devezhao <zhaofang123@gmail.com> * Fix long request (#599) * fix: `trigger/exec-manual` async * fix: lang * fix: #596 * open: detailsNotEmpty (#600) * open: detailsNotEmpty * enh: template preview * protable tipping * be: form-design * be: file upload noname * style: better * be: NTEXT \n --------- Co-authored-by: RB <getrebuild@sina.com> * List topnav (#601) * setHidden * enh: THROTTLED_QUEUE * enh: PageTokenVerify 2h * fix: Mix N2N & styles * feat: 表单回填源字段支持二级 * be: showStartGuide * fix: spec label * fix: 图表刻度 * fix: file copy --------- Co-authored-by: devezhao <zhaofang123@gmail.com> * Trigger fa n2n (#602) * style * Update entities-sheet.html * be: N2N in FieldWriteback * feat: fa 目标字段支持 N2N NTEXT * Update trigger.FIELDAGGREGATION.js * be * Update LogFunction.java * be: save tips * transform-design * be: meta-name trim * enh: show import speed * Project view (#603) * relaxed-path-chars * be: style * feat: LiteForm, setNullable, setTip * be: forms include * Update @rbv * style: 断行 * enh: customized * style: dialog footer --------- Co-authored-by: devezhao <zhaofang123@gmail.com> * Excel use refs (#605) * template v33 * be: schema timeout * DataList renderAfter * enh: whenUpdateFields * be: RbAlter hide force * Update @rbv * fix: useValueOfVarRecord --------- Co-authored-by: devezhao <zhaofang123@gmail.com> * import for users (#608) * fix: template v33 * feat: clearFields * be: login btn * enh: 直接打印 * fix: textCommon overflow * be: J_decimalTypeFlag * be: styles & ID * AssertFailedException * be: aviator func * FieldWritebackRefresh * SSS * be: RecordBuilder * classification-editor * Update ClassificationFileImporter.java * be: target record DELETED * Update BarCodeSupport.java * feat: N selected * imports for users * be: barcode w/h * Update DataImportController.java * be: TopNav * open: textCommon * feat: EnableBizzPart * text $separator --------- Co-authored-by: devezhao <zhaofang123@gmail.com> * Better v3.3 (#610) * be: style * 3.3.0-beta1 * be --------- Co-authored-by: devezhao <zhaofang123@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
版本 / Version
<=3.2.3
什么问题 / What's the problem
A URL redirection vulnerability exists in the/file/img/* * interface of the REBUILD system.
在REBUILD系统的/filex/img/**接口中存在URL重定向漏洞
如何复现此问题 / How to reproduce this problem
功能点 / Function points
Create a new dynamic in the dynamic function (need to insert an image), click Publish, obtain the request information from the
/feeds/post/publishinterface, and change the content in images.在动态功能处创建新的动态(需插入图片),点击发布,获取/feeds/post/publish接口的请求信息,更改images处的内容。
View the front-end page and discover that
http://www.baidu.comHas been successfully joined.查看前端页面,发现
http://www.baidu.com已被成功加入。Click Download File to successfully redirect to
http://www.baidu.com点击下载文件,能够成功跳转至
http://www.baidu.com系统环境 (操作系统/MySQL版本/浏览器等) / System environment (OS/MySQL/Browser etc)
Mysql 5.7.26
Windows
JDK1.8.0_341
Chrome
说明 / Suggested description
URL Redirection vulnerability exists in rebuild <=3.2.3
rebuild系统中存在URL重定向漏洞<=3.2.3
漏洞类型 / Vulnerability Type
URL Redirection
产品供应商 / Vendor of Product
https://github.com/getrebuild/rebuild
受影响的产品代码库 / Affected Product Code Base
<=3.2.3
受影响组件 / Affected Component
/feeds/post/publish
/filex/img/**
攻击方式 / Attack Type
Remote
漏洞成因 / Cause of vulnerability
In the


com.build.web.commons.FileDownloader#viewImg()method, obtain the path of the image and obtain it based on the path of the image,Then redirect based on the obtained content.在com.rebuild.web.commons.FileDownloader#viewImg()方法中,对图片的路径进行获取,根据图片的路径进行获取,然后根据获取到的内容进行重定向。
The path of the image is passed in by the
com.rebuild.web.feeds.FeedsPostController#publishmethod图片的路径由com.rebuild.web.feeds.FeedsPostController#publish方法传入
An attacker can implement a URL redirection vulnerability when a user clicks to download a file by changing the image path information to a malicious website address.
攻击者能够通过将图片路径信息更改为恶意网站地址,在用户点击下载文件时实现URL重定向漏洞。
The end,thanks!
The text was updated successfully, but these errors were encountered: