Java write file file name 0 0 truncation BUG that caused file upload vulnerability and fix-vulnerability warning-the black bar safety net

2012-12-27T00:00:00
ID MYHACK58:62201236410
Type myhack58
Reporter 佚名
Modified 2012-12-27T00:00:00

Description

Java in the above two environments to write the files, because 0 0 is truncated and not correct for the new generated file name. For example, the user needs to username abc. jsp . jpg, but after 0 0 after truncation, the resulting file name becomes the abc. jsp , therefore we are in relation to the uploading of the file name didn't change the name or can be a custom directory when to use

Test environment:

  1. Windows 7(x64)+tomcat7+jdk1. 6

  2. Linux3. 0(ubuntu11. 1 0)(x86)+tomcat7+jdk1. 7

Java in the above two environments to write the files, because 0 0 is truncated and not correct for the new generated file name. For example, the user needs to username abc. jsp . jpg, but after 0 0 after truncation, the resulting file name becomes the abc. jsp , therefore we are in relation to the uploading of the file name didn't change the name or can be a custom directory when utilized.

Test transmission of the head data is as follows:

POST /simpleUpload/write. jsp HTTP/1.1

Accept: application/x-shockwave-flash, image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, /

Accept-Language: zh-cn

Content-Type: application/x-www-form-urlencoded

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: 192.168.200.142:8 0 8 4

Content-Length: 1 7

Connection: Keep-Alive

Cache-Control: no-cache

Cookie: JSESSIONID=D2EC5F95AD581EB5FD3A860FC4CE640

name=abc. jsp . jpg(note that before uploading, here's the space we need to use hex editor will change it to 0 0)

Test the service side code is as follows:

<%@page import=”java. io.*”%& gt;

<%

out. clear();

String filename = request. getParameter(“name”);

if (filename != null) {

String path = application. getRealPath(“/”);

[1] [2] [3] [4] next