You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Eladmin is a back-end management system with front-end and back-end separation based on Spring Boot 2.6.4, Spring Boot Jpa, JWT, Spring Security, Redis, and Vue
Eladmin v2.7 has an arbitrary file upload vulnerability in the Database management and Deployment management
Attackers can construct filenames like ../../file to upload arbitrary files to arbitrary directories or delete arbitrary files in arbitrary directories
The affected API interfaces are /api/deploy/upload and /api/database/upload
Vulnerable code
The codes corresponding to these two interfaces do not filter the path and suffix of the uploaded file name.
Attackers can exploit this vulnerability to upload dynamic link libraries or write scheduled tasks to implement RCE. Attackers can also delete any files in any directory, affecting the stable operation of the web service site.
How to reproduced
POC
/api/database/upload
Upload arbitrary files to arbitrary directories
Delete arbitrary files in arbitrary directories
Firstly I create a file something-important in /tmp directory
The something-important file has been deleted
/api/deploy/upload
Upload arbitrary files to arbitrary directories
Delete arbitrary files in arbitrary directories
The situation is consistent with the above /api/database/uploadinterface
Description
Eladmin is a back-end management system with front-end and back-end separation based on Spring Boot 2.6.4, Spring Boot Jpa, JWT, Spring Security, Redis, and Vue
Eladmin v2.7 has an arbitrary file upload vulnerability in the Database management and Deployment management
Attackers can construct filenames like
../../file
to upload arbitrary files to arbitrary directories or delete arbitrary files in arbitrary directoriesThe affected API interfaces are
/api/deploy/upload
and/api/database/upload
Vulnerable code
The codes corresponding to these two interfaces do not filter the path and suffix of the uploaded file name.
https://github.com/elunez/eladmin/blob/master/eladmin-system/src/main/java/me/zhengjie/modules/mnt/rest/DatabaseController.java
https://github.com/elunez/eladmin/blob/master/eladmin-system/src/main/java/me/zhengjie/modules/mnt/rest/DeployController.java
Attackers can exploit this vulnerability to upload dynamic link libraries or write scheduled tasks to implement RCE. Attackers can also delete any files in any directory, affecting the stable operation of the web service site.
How to reproduced
POC
/api/database/upload
Upload arbitrary files to arbitrary directories
Delete arbitrary files in arbitrary directories
Firstly I create a file
something-important
in/tmp
directoryThe
something-important
file has been deleted/api/deploy/upload
Upload arbitrary files to arbitrary directories
Delete arbitrary files in arbitrary directories
The situation is consistent with the above
/api/database/upload
interfaceVersions
eladmin ≤ v2.7
Reporter
https://github.com/nerowander
The text was updated successfully, but these errors were encountered: