Headline
CVE-2023-34878: Ujcms v6.0.2 has a sensitive file reading problem · Issue #6 · ujcms/ujcms
An issue was discovered in Ujcms v6.0.2 allows attackers to gain sensitive information via the dir parameter to /api/backend/core/web-file-html/download-zip.
[Vulnerability description]
Ujcms v6.0.2 has a sensitive file reading problem. When using Tomcat to deploy the project, the background zip package downloads the html directory, and modifying the dir parameter causes the source code and configuration files to be downloaded
[Vulnerability Type]
Sensitive file reading(Information Disclosure)
[Vendor of Product]
https://gitee.com/ujcms/ujcms
https://github.com/ujcms/ujcms
https://www.ujcms.com/
[Affected Product Code Base]
v6.0.2
[Vulnerability proof]
Condition: tomcat deployment project
The dir parameter is allowed to be set to "WEB-INF/", and the names parameter is allowed to be set to "classes", so that the source code and web configuration files can be downloaded directly.(There is no html directory by default, you can create it directly through the function)
[Code Details]
com.ujcms.cms.core.web.backendapi.AbstractWebFileController#downloadZip
The code checks the two parameters “dir” and “names” separately
com.ujcms.cms.core.web.backendapi.AbstractWebFileController#checkId(java.lang.String)
Check whether there is directory traversal, no restrictions on accessible directories
com.ujcms.cms.core.web.backendapi.AbstractWebFileController#checkName(java.lang.String)Check the file name, when both meet
(1) The file name is empty
(2) The file name contains illegal characters
Accessible directories are not restricted