You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Ujcms v6.0.2 has a sensitive file reading problem. When using Tomcat to deploy the project, the background zip package downloads the html directory, and modifying the dir parameter causes the source code and configuration files to be downloaded
The dir parameter is allowed to be set to "WEB-INF/", and the names parameter is allowed to be set to "classes", so that the source code and web configuration files can be downloaded directly.(There is no html directory by default, you can create it directly through the function)
[Code Details]
com.ujcms.cms.core.web.backendapi.AbstractWebFileController#downloadZip
The code checks the two parameters "dir" and "names" separately
com.ujcms.cms.core.web.backendapi.AbstractWebFileController#checkId(java.lang.String)
Check whether there is directory traversal, no restrictions on accessible directories
com.ujcms.cms.core.web.backendapi.AbstractWebFileController#checkName(java.lang.String)Check the file name, when both meet
(1) The file name is empty
(2) The file name contains illegal characters
Accessible directories are not restricted
The text was updated successfully, but these errors were encountered:
[Vulnerability description]
Ujcms v6.0.2 has a sensitive file reading problem. When using Tomcat to deploy the project, the background zip package downloads the html directory, and modifying the dir parameter causes the source code and configuration files to be downloaded
[Vulnerability Type]
Sensitive file reading(Information Disclosure)
[Vendor of Product]
https://gitee.com/ujcms/ujcms
https://github.com/ujcms/ujcms
https://www.ujcms.com/
[Affected Product Code Base]
v6.0.2
[Vulnerability proof]
Condition: tomcat deployment project
The dir parameter is allowed to be set to "WEB-INF/", and the names parameter is allowed to be set to "classes", so that the source code and web configuration files can be downloaded directly.(There is no html directory by default, you can create it directly through the function)
[Code Details]
com.ujcms.cms.core.web.backendapi.AbstractWebFileController#downloadZip
The code checks the two parameters "dir" and "names" separately
com.ujcms.cms.core.web.backendapi.AbstractWebFileController#checkId(java.lang.String)
Check whether there is directory traversal, no restrictions on accessible directories
com.ujcms.cms.core.web.backendapi.AbstractWebFileController#checkName(java.lang.String)Check the file name, when both meet
(1) The file name is empty
(2) The file name contains illegal characters
Accessible directories are not restricted
The text was updated successfully, but these errors were encountered: