Affected Versions
version ≤ 3.8.2 (latest version)
https://github.com/jeecgboot/JeecgBoot
Impact
Jeecgboot versions 3.7.3 and earlier are affected by a path traversal vulnerability. This vulnerability allows attackers to upload files with system-whitelisted extensions to the system directory /opt, instead of the /opt/upFiles directory specified by the web server.
Attack Steps
- Send the following data packet to the API endpoint
/jeecg-boot/sys/common/upload, ensuring the biz parameter is set to ..
- Check the response packet and the corresponding directory to confirm the successful
upload Background program:
Vulnerability Cause
The bizPath parameter only filters ../ and ..\, but does not account for the .. form. Additionally, a file separator is added between bizPath and fileName during subsequent concatenation.
Exploitation
The /opt directory in Linux systems is typically used to store additional applications. If an attacker can upload files to this directory, they may exploit it for various attacks. For example, by including a malicious shell script in the uploaded tar file, an attacker could replace legitimate software or library files in the /opt directory when an administrator mistakenly extracts the file. This could involve replacing an application's executable with a malicious version. Common software in the /opt directory includes: /opt/mongodb, /opt/google/chrome, /opt/nodejs, /opt/postgresql, /opt/anaconda, /opt/VirtualBox, /opt/nginx.
Since the extraction directory is in /opt, attackers can replace these software executables with malicious code to carry out attacks.
友情提示:
- 未按格式要求发帖、描述过于简单的,会被直接删掉;
- 描述问题请图文并茂,方便我们理解并快速定位问题;
- 如果使用的不是master,请说明你使用的分支;
Affected Versions
version ≤ 3.8.2 (latest version)
https://github.com/jeecgboot/JeecgBoot
Impact
Jeecgboot versions 3.7.3 and earlier are affected by a path traversal vulnerability. This vulnerability allows attackers to upload files with system-whitelisted extensions to the system directory
/opt, instead of the/opt/upFilesdirectory specified by the web server.Attack Steps
/jeecg-boot/sys/common/upload, ensuring thebizparameter is set to..upload Background program:
Vulnerability Cause
The
bizPathparameter only filters../and..\, but does not account for the..form. Additionally, a file separator is added betweenbizPathandfileNameduring subsequent concatenation.Exploitation
The
/optdirectory in Linux systems is typically used to store additional applications. If an attacker can upload files to this directory, they may exploit it for various attacks. For example, by including a malicious shell script in the uploaded tar file, an attacker could replace legitimate software or library files in the/optdirectory when an administrator mistakenly extracts the file. This could involve replacing an application's executable with a malicious version. Common software in the/optdirectory includes:/opt/mongodb,/opt/google/chrome,/opt/nodejs,/opt/postgresql,/opt/anaconda,/opt/VirtualBox,/opt/nginx.Since the extraction directory is in
/opt, attackers can replace these software executables with malicious code to carry out attacks.友情提示: