Ujcms v6.0.2 has a sensitive file reading problem #6
Comments
|
Fixed in version 7.0.0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
[Vulnerability description]
Ujcms v6.0.2 has a sensitive file reading problem. When using Tomcat to deploy the project, the background zip package downloads the html directory, and modifying the dir parameter causes the source code and configuration files to be downloaded
[Vulnerability Type]
Sensitive file reading(Information Disclosure)
[Vendor of Product]
https://gitee.com/ujcms/ujcms
https://github.com/ujcms/ujcms
https://www.ujcms.com/
[Affected Product Code Base]
v6.0.2
[Vulnerability proof]
Condition: tomcat deployment project
The dir parameter is allowed to be set to "WEB-INF/", and the names parameter is allowed to be set to "classes", so that the source code and web configuration files can be downloaded directly.(There is no html directory by default, you can create it directly through the function)
[Code Details]
com.ujcms.cms.core.web.backendapi.AbstractWebFileController#downloadZip
The code checks the two parameters "dir" and "names" separately
com.ujcms.cms.core.web.backendapi.AbstractWebFileController#checkId(java.lang.String)
Check whether there is directory traversal, no restrictions on accessible directories
com.ujcms.cms.core.web.backendapi.AbstractWebFileController#checkName(java.lang.String)Check the file name, when both meet
(1) The file name is empty
(2) The file name contains illegal characters
Accessible directories are not restricted
The text was updated successfully, but these errors were encountered: