Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

arbitrary file read vulnerability #304

Closed
Cynthrial opened this issue Nov 14, 2021 · 5 comments
Closed

arbitrary file read vulnerability #304

Cynthrial opened this issue Nov 14, 2021 · 5 comments

Comments

@Cynthrial
Copy link

kkFileView arbitrary file read vulnerability

问题描述Description

最近在公司内部渗透测试中发现某处引用的kkFileView 4.0.0存在任意文件读取漏洞,可通过漏洞读取主机任意文件,易造成敏感信息泄漏。

kkFileview v4.0.0 has arbitrary file read vulnerability which may lead to sensitive file leak on related host。

漏洞位置vulerable code location

kkFileView/server/src/main/java/cn/keking/web/controller/OnlinePreviewController.java文件103行,urlPath参数支持file协议

The vulnerable code is located at line 103 in kkFileView/server/src/main/java/cn/keking/web/controller/OnlinePreviewController.java. The value which passed through param urlPath supports file protocol.

    /**
     * 根据url获取文件内容
     * 当pdfjs读取存在跨域问题的文件时将通过此接口读取
     *
     * @param urlPath  url
     * @param response response
     */
    @RequestMapping(value = "/getCorsFile", method = RequestMethod.GET)
    public void getCorsFile(String urlPath, HttpServletResponse response) {
        logger.info("下载跨域pdf文件url:{}", urlPath);
        try {
            URL url = WebUtils.normalizedURL(urlPath);
            byte[] bytes = NetUtil.downloadBytes(url.toString());
            IOUtils.write(bytes, response.getOutputStream());
        } catch (IOException | GalimatiasParseException e) {
            logger.error("下载跨域pdf文件异常,url:{}", urlPath, e);
        }
    }

漏洞证明PoC

官方演示站点为最新4.0.0版本,以此为演示,访问漏洞位置https://file.keking.cn/getCorsFile?urlPath=file:///etc/passwd 可得

The version of official demo site is v4.0.0. Visit https://file.keking.cn/getCorsFile?urlPath=file:///etc/passwd and the concept is proofed.
@gaoxingzaq
Copy link
Contributor

谢谢 指点

@gaoxingzaq
Copy link
Contributor

@RequestMapping(value = "/getCorsFile", method = RequestMethod.GET)
public void getCorsFile( HttpServletRequest request, HttpServletResponse response) {
String query = request.getQueryString();
query = query.replace("%20", " ");
try {
query = URLDecoder.decode(query, "UTF-8");
} catch (UnsupportedEncodingException e) {
e.printStackTrace();
}
String urlPath = query.replaceFirst("urlPath=","");
urlPath = urlPath.replaceFirst("&disabledownload=true","");
if (urlPath == null || urlPath.toLowerCase().startsWith("file") || !urlPath.toLowerCase().startsWith("http")) {
logger.info("读取跨域文件异常", urlPath);
}else {
logger.info("读取跨域文件url:{}", urlPath);
try {
URL url = WebUtils.normalizedURL(urlPath);
byte[] bytes = NetUtil.downloadBytes(url.toString());
IOUtils.write(bytes, response.getOutputStream());
} catch (IOException | GalimatiasParseException e) {
logger.error("读取跨域文件异常,url:{}", urlPath, e);
}
}
}

@gps1949
Copy link

gps1949 commented Sep 13, 2022

修复没

@pengfan8080
Copy link

请问这个漏洞修复成功了吗

@gaoxingzaq
Copy link
Contributor

已经修复了

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@Cynthrial @gps1949 @gaoxingzaq @pengfan8080