| 제목 | https://github.com/bolo-blog/bolo-solo/ bolo-solo V2.6.4 Write any file |
|---|
| 설명 | A path traversal vulnerability exists in the /import/markdown endpoint of bolo-solo version 2.6.4_stable. The application uses an unsafe ZIP extraction routine (unpackFilteredZip) that fails to sanitize or validate file paths within uploaded ZIP archives. Specifically, the function constructs output file paths using new File(outputDir, entryName) without canonicalizing or restricting the entry name to the intended output directory. As a result, an authenticated attacker (typically with admin privileges) can upload a malicious ZIP file containing entries with path traversal sequences (e.g., ../../../etc/passwd or ../../static/poc.html). Upon extraction, arbitrary files can be written to any location on the filesystem where the application process has write permissions. This may lead to remote code execution (e.g., via webshell upload), configuration file overwrite, or denial of service. |
|---|
| 원천 | ⚠️ https://github.com/bolo-blog/bolo-solo/issues/326 |
|---|
| 사용자 | MaoQiu (UID 94327) |
|---|
| 제출 | 2026. 01. 20. AM 03:40 (5 개월 ago) |
|---|
| 모더레이션 | 2026. 02. 03. PM 03:04 (14 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 343978 [bolo-blog bolo-solo 까지 2.6.4 ZIP File BackupService.java unpackFilteredZip 파일 디렉토리 순회] |
|---|
| 포인트들 | 20 |
|---|