CVE-2022-4511: Arbitrary file download Vulnerability · Issue #I66A3V · Rainy/DocSys - Gitee.com

中文****漏洞描述

获取用户头像接口com.DocSystem.controller.UserController#getUserImg存在任意文件下载，此接口被系统拦截器拦截，需要登录后访问，但拦截器com.DocSystem.controller.MyInterceptor#preHandle编写存在权限绕过问题。因此可以在未登录情况下造成任意文件下载漏洞。

漏洞影响

影响版本：全版本
漏洞危害：任意文件下载

漏洞发现

在UserController.java中的com.DocSystem.controller.UserController#getUserImg方法，存在以下代码

其中fileName可控，可以使用…/进行目前穿越，从而下载其他目录的文件。
但是此系统存在一个拦截器，会检测请求url是否满足访问权限，具体如下：

可以看到使用contains方法判断是否在allowedUrl中，所以这里很容易绕过。

漏洞复现

本地搭建系统后访问：
http://localhost:8081/DocSystem/User/getUserImg?fileName=…/…/windows/win.ini&s=pay/refund
可成功下载c:/windows/win.ini文件

English****Description

Get the user avatar interface com.DocSystem.Controller.UserController#getUserImg exist any file to download, the interface is blocked by system interceptors, after need to log in to access, But the interceptor interface com.DocSystem.Controller.MyInterceptor#preHandle write permissions to bypass the problems. Therefore, any file download vulnerability can be caused without login.

Impact

Affected version: Full version
Vulnerability damage: arbitrary file download

Code Audit

vulnerability in UserController.Java file, which com.DocSystem.Controller.UserController#getUserImg method, there are the following code：

Where the fileName parameter is controllable, you can use …/ Do a current traversal to download files from another directory.
However, there is an interceptor in this system, which will detect whether the requested url meets the access permission, specifically as follows:

You can see that you use the contains method to determine if it’s in the allowedUrl, so it’s easy to bypass here.

Steps to reproduce

After setting up the system locally, visit: http://localhost:8081/DocSystem/User/getUserImg?fileName=…/…/windows/win.ini&s=pay/refund
The c:/windows/win.ini file can be downloaded successfully