Headline
CVE-2023-41599: Directory traversal in JFinalCMS
An issue in the component /common/DownController.java of JFinalCMS v5.0.0 allows attackers to execute a directory traversal.
source code: https://gitee.com/heyewei/JFinalcms
Official website : http://www.jrecms.com/product/201.html
Analyze:
The vulnerable file is in com/cms/controller/common/DownController.java
We can easily find that the file function concatenates the file name of the fileKey parameter as a string directly with the overall file path, without performing black and white list verification or security verification, which allows us to utilize/ Perform directory traversal
poc:
1
2
3
I set a test.txt in E:\test.txt.And this java sysytem is also set in E-disk.Windows: /../../../../../../../../../test.txtLinux: /../../../../../../../../../etc/passwd