Headline
CVE-2022-23390: SEVEN high-risk vulnerabilities · Issue #51 · diyhi/bbs
An issue in the getType function of BBS Forum v5.3 and below allows attackers to upload arbitrary files.
Hi,there are SEVEN high-risk vulnerabilities in the Administrator background。please fix it as soon as possible。
Five Arbitrary file upload vulnerabilities。
In HelpManageAction.java、MembershipCardManageAction.java、QuestionManageAction.java、TopicManageAction.java、ForumManageAction.java,there are fllowing insecure code。
if(file.getContentType().equalsIgnoreCase(“application/octet-stream”)){
String fileType = FileType.getType(file.getInputStream());
for (String format :formatList) {
if(format.equalsIgnoreCase(fileType)){
authentication = true;
break;
}
}
}
And the getType funciton code is bellow。
public static String getType(InputStream inputStream) throws IOException {
String fileHead = getFileContent(inputStream);
if (fileHead == null || fileHead.length() == 0) {
return null;
}fileHead = fileHead.toUpperCase(); for (Map.Entry<String,String> entry : type.entrySet()) { if(fileHead.startsWith(entry.getKey())){ return entry.getValue(); } } return null; }
if Content-Type is “application/octet-stream” ,the program will go to getType function,and the function does not strictly check file suffixes。
proof of content。
Login to the administrator first,then chose the topic list and upload a file。with burpsuite ,you can change the Content-Type parameter to application/octet-stream,and change the filename to 1.jsp。
you can find the webshell upload successfully。
The other is Zip Slip Vulnerability.
The problem lies in the system upgrade function.
The vulnerability is exploited using a specially crafted archive that holds directory traversal filenames (e.g. …/…/evil.sh).
UpgradeNow funciton in UpgradeManageAction.java unzip the uploaded zip file without check filenames .
ZipUtil.unZip(updatePackage_path, temp_path);
The hacker can exploit the website like this.
The third vulnerability is code injection.
Background management template.
you can edit the html file. so we can insert evil code as the html will be processed by freemarker engine.
when you access the website, the injected evil code will execute.