Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-23390: SEVEN high-risk vulnerabilities · Issue #51 · diyhi/bbs

An issue in the getType function of BBS Forum v5.3 and below allows attackers to upload arbitrary files.

CVE
Open in Source
#vulnerability#web#js#git#java

Hi,there are SEVEN high-risk vulnerabilities in the Administrator background。please fix it as soon as possible。
Five Arbitrary file upload vulnerabilities。
In HelpManageAction.java、MembershipCardManageAction.java、QuestionManageAction.java、TopicManageAction.java、ForumManageAction.java,there are fllowing insecure code。

if(file.getContentType().equalsIgnoreCase(“application/octet-stream”)){
String fileType = FileType.getType(file.getInputStream());
for (String format :formatList) {
if(format.equalsIgnoreCase(fileType)){
authentication = true;
break;
}
}
}
And the getType funciton code is bellow。
public static String getType(InputStream inputStream) throws IOException {
String fileHead = getFileContent(inputStream);
if (fileHead == null || fileHead.length() == 0) {
return null;
}

    fileHead = fileHead.toUpperCase();   

    for (Map.Entry<String,String> entry : type.entrySet()) {
      if(fileHead.startsWith(entry.getKey())){
          return entry.getValue();
      }
    }
    return null;   
}

if Content-Type is “application/octet-stream” ,the program will go to getType function,and the function does not strictly check file suffixes。
proof of content。
Login to the administrator first,then chose the topic list and upload a file。with burpsuite ,you can change the Content-Type parameter to application/octet-stream,and change the filename to 1.jsp。
image
you can find the webshell upload successfully。
image

The other is Zip Slip Vulnerability.
The problem lies in the system upgrade function.
image
The vulnerability is exploited using a specially crafted archive that holds directory traversal filenames (e.g. …/…/evil.sh).
UpgradeNow funciton in UpgradeManageAction.java unzip the uploaded zip file without check filenames .

ZipUtil.unZip(updatePackage_path, temp_path);

The hacker can exploit the website like this.

image

image

The third vulnerability  is code injection.
Background management template.

image
you can edit the html file. so we can insert evil code as the html will be processed by freemarker engine.
image
when you access the website, the injected evil code will execute.
image

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE