Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

Fastcms system has a zip package directory traversal vulnerability that allows for arbitrary file writing. And gain server privileges

Project Address

https://github.com/my-fastcms/fastcms

Project Issues

my-fastcms/fastcms#1

This interface has a zip package directory traversal vulnerability that allows for arbitrary file writing.

/fastcms/admin/template/install

com/fastcms/cms/controller/admin/TemplateController.java image

The install method of DefaultTemplateService invoked the unzip method of FileUtils.

com/fastcms/core/template/DefaultTemplateService.java image

The unzip method of FileUtils did not do any logical judgment on the decompressed zip package.

com/fastcms/common/utils/FileUtils.java image

Create a zip package;

image

Uploading a zip package;

image

Successfully logged in to ssh, successfully wrote the public key to the root/.ssh/authorized_keys file.

image