Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
v1.15.4
Authenticated users can read arbitrary file on the server with the file download funtion.
API: /api/automation/file/download
Vulnerable source code: ApiAutomationService.java
public byte[] loadFileAsBytes(FileOperationRequest fileOperationRequest) { File file = new File(FileUtils.BODY_FILE_DIR + "/" + fileOperationRequest.getId() + "_" + fileOperationRequest.getName()); try (FileInputStream fis = new FileInputStream(file); ByteArrayOutputStream bos = new ByteArrayOutputStream(1000);) { byte[] b = new byte[1000]; int n; while ((n = fis.read(b)) != -1) { bos.write(b, 0, n); } return bos.toByteArray(); } catch (Exception ex) { LogUtil.error(ex); } return null; }
I have tested this vulnerability on the demo website https://demo.metersphere.com/. Use the payload below and we successfully read the /etc/passwd
The text was updated successfully, but these errors were encountered:
Thanks very much for your discovery,we will fixed it within next version.
Sorry, something went wrong.
fix: csv下载接口可以访问到系统目录
18c62d9
close #8652
0bca449
4f3bb99
d74e02c
AgAngle
youliyuan-fit2cloud
No branches or pull requests
Version
v1.15.4
Description
Authenticated users can read arbitrary file on the server with the file download funtion.
API: /api/automation/file/download
Vulnerable source code:
ApiAutomationService.java
To Reproduce
I have tested this vulnerability on the demo website https://demo.metersphere.com/.

Use the payload below and we successfully read the /etc/passwd
The text was updated successfully, but these errors were encountered: