Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Halo Blog CMS1.4.17 Fileupload without file type authentication #1702

Closed
ziping21 opened this issue Mar 4, 2022 · 1 comment
Closed

Halo Blog CMS1.4.17 Fileupload without file type authentication #1702

ziping21 opened this issue Mar 4, 2022 · 1 comment
Labels
kind/bug Categorizes issue or PR as related to a bug. kind/feature Categorizes issue or PR as related to a new feature.
Milestone

Comments

@ziping21
Copy link

ziping21 commented Mar 4, 2022

是什么版本出现了此问题?

1.4.17

使用的什么数据库?

MySQL 5.7

使用的哪种方式部署?

Fat Jar

在线站点地址

https://demo.halo.run/admin/index.html#/comments

发生了什么?

The vulnerability can lead to the upload of arbitrary malicious script files.

相关日志输出

no

附加信息

Black-box penetration:

  1. Use (demo:P@ssw0rd123...) to login in https://demo.halo.run/admin ,and then find the
    attachment upload feature ,try to upload a random image.

图片

  1. While uploading a random image, use burp suite to catch the request packet and forward it to the Repeater module.

图片

  1. You can tell we successfully uploaded the image from the screenshot below . And we can also get the path of the image accordding to the response.

图片

  1. Now we want to use the feature again. This time ,try to change the file suffix and modify the file content at the same time. After doing that , send the request again. And the upload is still successful , the file path is also returned.

图片

  1. Now try to access the file path within the url below,and our xss payload successfully executed

图片

  1. Screenshots of other file types uploaded are as follows:

图片

图片

Source code review:
Try to download the source code for source code security analysis
https://github.com/halo-dev/halo/releases/tag/v1.4.17(Latest version 1.4.17)

图片

  1. Check the source code and locate the class src\main\java\run\halo\app\controller\admin\api\AttachmentController.java
    According to the annotations of this class, you can find that all requests to the path /api/admin/attachments will access this class.

图片

  1. The /upload path accessed by the upload interface will access the uploadAttachment method of this class.

图片

  1. As you can see, this method receives the file from the client side, then passes the file object as an argument to the upload() method of the AttachmentServiceImpl class and executes it, and then executes the result as an argument to the convertToDto() method of the AttachmentServiceImpl class.
  2. So let's follow up on the upload() method first after locating the src\main\java\run\halo\app\service\impl\AttachmentServiceImpl.java class and dive into the upload() method

图片

  1. You can see that the code does not have any file suffix checksum, and finally the upload() method will return a create(attachment) object, continue to follow up to the create() method, you can see that an Attachment class object is returned, and there is no file checksum.

图片

  1. The returned object is entered as an argument to the convertToDto() method of the src\main\java\run\halo\app\service\impl\AttachmentServiceImpl.java class, in which you can see that the code writes the path of the uploaded file to the AttachmentDTO instance object, and it can be found that there is no logic of permission checking, and finally the method returns an AttachmentDTO instance object.

图片

  1. When the file path is set, this information will be brought into the response packet and eventually fed back to the client, so we can successfully access the uploaded file in the response packet based on this path information。
  2. According to the analysis of the above code, we can see that there is no logic in the code to check the file suffix, file content and file format, so it can lead to arbitrary file upload。
@ziping21 ziping21 added the kind/bug Categorizes issue or PR as related to a bug. label Mar 4, 2022
@ruibaby ruibaby added this to the 2.0 milestone Mar 4, 2022
@ruibaby
Copy link
Member

ruibaby commented Mar 5, 2022

We will provide the setting to allow file extensions to be uploaded in 2.0, thank you for your feedback.

@ruibaby ruibaby added the kind/feature Categorizes issue or PR as related to a new feature. label Mar 5, 2022
@JohnNiang JohnNiang modified the milestones: 2.0.0, 2.0.x Dec 1, 2022
@JohnNiang JohnNiang modified the milestones: 2.0.x, Backlog Dec 16, 2022
@ruibaby ruibaby closed this as completed May 11, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/bug Categorizes issue or PR as related to a bug. kind/feature Categorizes issue or PR as related to a new feature.
Projects
None yet
Development

No branches or pull requests

3 participants