Unauthorized upload vulnerability · Issue #IO0IQ · 铭飞/MCMS - Gitee.com

开源项目 > 建站系统 > CMS建站系统 &&

/ 详情

已完成

创建于

2018-10-29 21:57

Since this upload interface does not verify the user login status, you can use this interface to upload files without setting a cookie. First upload a picture horse, then intercept the data packet in the name parameter that changes the suffix name to jsp, after the release request, the server returns the storage path of the webshell.

创建了任务

修改了描述

原值

\MCMS-master\src\main\java\com\mingsoft\basic\action\web\FileAction.java

The user interface is not authenticated on the upload interface, resulting in unauthorized access to the upload interface.

(https://images.gitee.com/uploads/images/2018/1029/214944_475a01e4_2110619.png "111.png")

The whitelist check is not performed on the file suffix name. The file suffix name is obtained according to the file passed in by the client and combined with the current time to form a new file name _fileName, and then combined with the uploadPath file path passed in from the client into a file. Store the path and then upload the file directly.

(https://images.gitee.com/uploads/images/2018/1029/215035_4929f32f_2110619.png "112.png")

Since this upload interface does not verify the user login status, you can use this interface to upload files without setting a cookie. First upload a picture horse, then intercept the data packet in the name parameter that changes the suffix name to jsp, after the release request, the server returns the storage path of the webshell.

(https://images.gitee.com/uploads/images/2018/1029/215053_29f52256_2110619.png "113.png")

新值

\MCMS-master\src\main\java\com\mingsoft\basic\action\web\FileAction.java

The user interface is not authenticated on the upload interface, resulting in unauthorized access to the upload interface.

https://images.gitee.com/uploads/images/2018/1029/214944_475a01e4_2110619.png 

The whitelist check is not performed on the file suffix name. The file suffix name is obtained according to the file passed in by the client and combined with the current time to form a new file name _fileName, and then combined with the uploadPath file path passed in from the client into a file. Store the path and then upload the file directly.

https://images.gitee.com/uploads/images/2018/1029/215035_4929f32f_2110619.png 

Since this upload interface does not verify the user login status, you can use this interface to upload files without setting a cookie. First upload a picture horse, then intercept the data packet in the name parameter that changes the suffix name to jsp, after the release request, the server returns the storage path of the webshell.

https://images.gitee.com/uploads/images/2018/1029/215053_29f52256_2110619.png

修改了描述

展开全部操作日志

resolved

将任务状态从 待办的 修改为已拒绝

将任务状态从 已拒绝 修改为已完成

Could anyone provide the fix commit, please?
Thanks

登录后才可以发表评论

状态

负责人

里程碑

Pull Requests

关联的 Pull Requests 被合并后可能会关闭此 issue

分支

开始日期 - 截止日期

-

置顶选项

优先级

参与者（3）

Java

1

https://gitee.com/mingSoft/MCMS.git

git@gitee.com:mingSoft/MCMS.git

mingSoft

MCMS

MCMS