Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

The latest version of JPress deployed on Windows has an arbitrary file upload vulnerability #188

Open
lazy-forever opened this issue Aug 2, 2024 · 0 comments

Comments

@lazy-forever
Copy link

Vulnerability Reproduction

Similar to the [jpress前台存在任意文件上传漏洞 · Issue #173 · JPressProjects/jpress (github.com)](#173)

Deploy JPress on Windows

After installing the JPress framework, register a user.

http://localhost/user/register

1

After registration, go to the avatar settings (http://localhost/ucenter/avatar), select an image, and capture the packet to submit.

2

If you upload an HTML file normally, it shows that uploading is not supported.

3

Uploading a JSP file will have its suffix changed.

4

When we add ::$DATA to the end of the file name and send the packet.

5

The normal file should be saved at /attachment/20240803/b91be30530c843f8aed2c08bb2222ddc.jsp::$DATA, but the final file is saved at /attachment/1.jsp.

6

The same applies to HTML files, so it is not elaborated.

Vulnerability Analysis

Located in the io.jpress.web.commons.controller.AttachmentController#upload method, line 55 calls the ControllerBase#getFile method.

7

Then getFile calls the getFirstFileOnly method.

8

The getFirstFileOnly method calls this.getFiles() to save the file at /attachment/1.jsp::$DATA, but due to the characteristics of Windows, the ::\$DATA suffix is ignored, causing the file to be saved at /attachment/1.jsp.

9

Finally, at line 90 of the io.jpress.web.commons.controller.AttachmentController#upload method, an error is triggered, preventing the file from being moved further, so the file is saved at /attachment/1.jsp.

10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant