Skip to content

Path Traversal Vulnerability /sys/common/upload endpoint #8826

Description

@Arron-bit

Affected Versions

version ≤ 3.8.2 (latest version)

https://github.com/jeecgboot/JeecgBoot

Impact

Jeecgboot versions 3.7.3 and earlier are affected by a path traversal vulnerability. This vulnerability allows attackers to upload files with system-whitelisted extensions to the system directory /opt, instead of the /opt/upFiles directory specified by the web server.

Attack Steps

  1. Send the following data packet to the API endpoint /jeecg-boot/sys/common/upload, ensuring the biz parameter is set to ..
Image
  1. Check the response packet and the corresponding directory to confirm the successful
Image

upload Background program:

Image Image

Vulnerability Cause

The bizPath parameter only filters ../ and ..\, but does not account for the .. form. Additionally, a file separator is added between bizPath and fileName during subsequent concatenation.

Image Image

Exploitation

The /opt directory in Linux systems is typically used to store additional applications. If an attacker can upload files to this directory, they may exploit it for various attacks. For example, by including a malicious shell script in the uploaded tar file, an attacker could replace legitimate software or library files in the /opt directory when an administrator mistakenly extracts the file. This could involve replacing an application's executable with a malicious version. Common software in the /opt directory includes: /opt/mongodb, /opt/google/chrome, /opt/nodejs, /opt/postgresql, /opt/anaconda, /opt/VirtualBox, /opt/nginx.

Since the extraction directory is in /opt, attackers can replace these software executables with malicious code to carry out attacks.

友情提示:

  • 未按格式要求发帖、描述过于简单的,会被直接删掉;
  • 描述问题请图文并茂,方便我们理解并快速定位问题;
  • 如果使用的不是master,请说明你使用的分支;

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions