Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
您好: 360代码卫士团队在litemall项目中发现了一个任意文件下载的漏洞,还请确认,详细信息如下: 在WxStorageController.java文件中提供了文件下载的功能 但由于没有对文件名做校验,导致恶意攻击者可以下载任意类型的文件,并且可以通过../来回溯下载任意路径下的文件。
The text was updated successfully, but these errors were encountered:
非常感谢对安全的帮助,这里我增加了对../字符串的校验49ab94d0052672d4fb642505d44b94a18abea332。 不过,我放宽了对文件名的校验,目前我觉得对任意类型文件下载不要紧。
Sorry, something went wrong.
No branches or pull requests
您好:

360代码卫士团队在litemall项目中发现了一个任意文件下载的漏洞,还请确认,详细信息如下:
在WxStorageController.java文件中提供了文件下载的功能
但由于没有对文件名做校验,导致恶意攻击者可以下载任意类型的文件,并且可以通过../来回溯下载任意路径下的文件。
The text was updated successfully, but these errors were encountered: