You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
After registration, go to the avatar settings (http://localhost/ucenter/avatar), select an image, and capture the packet to submit.
If you upload an HTML file normally, it shows that uploading is not supported.
Uploading a JSP file will have its suffix changed.
When we add ::$DATA to the end of the file name and send the packet.
The normal file should be saved at /attachment/20240803/b91be30530c843f8aed2c08bb2222ddc.jsp::$DATA, but the final file is saved at /attachment/1.jsp.
The same applies to HTML files, so it is not elaborated.
Vulnerability Analysis
Located in the io.jpress.web.commons.controller.AttachmentController#upload method, line 55 calls the ControllerBase#getFile method.
Then getFile calls the getFirstFileOnly method.
The getFirstFileOnly method calls this.getFiles() to save the file at /attachment/1.jsp::$DATA, but due to the characteristics of Windows, the ::\$DATA suffix is ignored, causing the file to be saved at /attachment/1.jsp.
Finally, at line 90 of the io.jpress.web.commons.controller.AttachmentController#upload method, an error is triggered, preventing the file from being moved further, so the file is saved at /attachment/1.jsp.
The text was updated successfully, but these errors were encountered:
Vulnerability Reproduction
Similar to the [jpress前台存在任意文件上传漏洞 · Issue #173 · JPressProjects/jpress (github.com)](#173)
Deploy JPress on Windows
After installing the JPress framework, register a user.
http://localhost/user/register
After registration, go to the avatar settings (
http://localhost/ucenter/avatar
), select an image, and capture the packet to submit.If you upload an HTML file normally, it shows that uploading is not supported.
Uploading a JSP file will have its suffix changed.
When we add
::$DATA
to the end of the file name and send the packet.The normal file should be saved at
/attachment/20240803/b91be30530c843f8aed2c08bb2222ddc.jsp::$DATA
, but the final file is saved at/attachment/1.jsp
.The same applies to HTML files, so it is not elaborated.
Vulnerability Analysis
Located in the
io.jpress.web.commons.controller.AttachmentController#upload
method, line 55 calls theControllerBase#getFile
method.Then
getFile
calls thegetFirstFileOnly
method.The
getFirstFileOnly
method callsthis.getFiles()
to save the file at/attachment/1.jsp::$DATA
, but due to the characteristics of Windows, the::\$DATA
suffix is ignored, causing the file to be saved at/attachment/1.jsp
.Finally, at line 90 of the
io.jpress.web.commons.controller.AttachmentController#upload
method, an error is triggered, preventing the file from being moved further, so the file is saved at/attachment/1.jsp
.The text was updated successfully, but these errors were encountered: