Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fastcms system has a zip package directory traversal vulnerability that allows for arbitrary file writing. And gain server privileges; #1

Open
ha1yuYiqiyinHangzhouTechn0logy opened this issue Feb 23, 2023 · 3 comments

Comments

@ha1yuYiqiyinHangzhouTechn0logy

Fastcms system has a zip package directory traversal vulnerability that allows for arbitrary file writing. And gain server privileges;

Fastcms 系统存在zip包目录穿越导致的任意文件写入,并获取服务器权限;

/fastcms/admin/template/install
This interface has a zip package directory traversal vulnerability that allows for arbitrary file writing.

com/fastcms/cms/controller/admin/TemplateController.java
image

The install method of DefaultTemplateService invoked the unzip method of FileUtils.

com/fastcms/core/template/DefaultTemplateService.java
image

The unzip method of FileUtils did not do any logical judgment on the decompressed zip package.

com/fastcms/common/utils/FileUtils.java
image

Create a zip package;
image

Uploading a zip package;
image

Successfully logged in to ssh, successfully wrote the public key to the root/.ssh/authorized_keys file.
image

@ha1yuYiqiyinHangzhouTechn0logy ha1yuYiqiyinHangzhouTechn0logy changed the title Fastcms system has a zip package directory traversal vulnerability that allows for arbitrary file writing. Fastcms system has a zip package directory traversal vulnerability that allows for arbitrary file writing. And gain server privileges; Feb 23, 2023
@my-fastcms
Copy link
Owner

You must have the permission to install templates. Do you have a better solution?

@ha1yuYiqiyinHangzhouTechn0logy
Copy link
Author

解压zip包时,过滤掉 "../" 字符串,可以有效的防止目录穿越。
Filtering out the "../" string when unzipping a zip package can prevent directory traversal attacks.
eg:
image

@my-fastcms
Copy link
Owner

org.zeroturnaround zt-zip 1.15 I used this class library to repair

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants