Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[BUG]Arbitrary File Upload Vulnerability leading to RCE in v1.15.4 #8653

Closed
rainmanzzz opened this issue Dec 20, 2021 · 2 comments
Closed

[BUG]Arbitrary File Upload Vulnerability leading to RCE in v1.15.4 #8653

rainmanzzz opened this issue Dec 20, 2021 · 2 comments
Assignees
Labels
状态:待反馈 等待用户反馈详细复现步骤或者文件日志等信息 状态:待验证 类型:缺陷 使用过程中出现不符合预期情况
Milestone

Comments

@rainmanzzz
Copy link

Version

v1.15.4

Description

Unauthenticated users can upload any kinds of file to arbitrary directory,which could lead to RCE.

API: /resource/md/upload

Vulnerable source code:
ResourceService.java

    public void mdUpload(MdUploadRequest request, MultipartFile file) {
        FileUtils.uploadFile(file, FileUtils.MD_IMAGE_DIR, request.getId() + "_" + request.getFileName());
    }

To Reproduce

I have tested this vulnerability on the demo website https://demo.metersphere.com/.
Post the data below and we successfully upload a file .1 under the /root/ directory.
image
If we write a cron job, then we can execute command remotely.

@github-actions github-actions bot added the 状态:待处理 已分配给相关处理人等待处理人处理并更新状态 label Dec 20, 2021
@youliyuan-fit2cloud youliyuan-fit2cloud added this to the v1.16.0 milestone Dec 21, 2021
@youliyuan-fit2cloud
Copy link

Thanks very much for your discovery,we will fixed it within next version.

@github-actions github-actions bot added 状态:待反馈 等待用户反馈详细复现步骤或者文件日志等信息 and removed 状态:待处理 已分配给相关处理人等待处理人处理并更新状态 labels Dec 21, 2021
@youliyuan-fit2cloud youliyuan-fit2cloud added 类型:缺陷 使用过程中出现不符合预期情况 状态:待验证 labels Dec 23, 2021
@youliyuan-fit2cloud
Copy link

v1.16以上版本已修复

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
状态:待反馈 等待用户反馈详细复现步骤或者文件日志等信息 状态:待验证 类型:缺陷 使用过程中出现不符合预期情况
Projects
None yet
Development

No branches or pull requests

3 participants