The General meta build system upload vulnerability and fix-vulnerability warning-the black bar safety net

2012-12-12T00:00:00
ID MYHACK58:62201236088
Type myhack58
Reporter 佚名
Modified 2012-12-12T00:00:00

Description

General yuan in the construction of the station system there upload vulnerability, you can directly upload any files, no filtering.

The General meta build system website, there are upload points

Access

www.xxx.com/cms/editor/filemanager/browser/default/browser.html?Type=&Connector=connectors/jsp/connector

Type of you can use../../traverse the folder but can not directly upload shell

Need to construct from the root directory to the web storage path can only upload files.

If you want to upload the jsp file to the root directory of the site on the level of the cms file, you can upload a jsp file, no filter

As General Yuan official website:

http://www.gpowersoft.com/cms/editor/filemanager/browser/default/browser.html?Type=../../../../Tomcat5.5_Gpower/webapps/cms&Connector=connectors/jsp/connector

Can upload a Jsp file.

The pictures don't know why upload can't be.

This is the official website of the test

http://www.gpowersoft.com/index.txt

Repair solutions:

You should modify the editor storage path, delete the upload point or to upload additional filter.