FE协作办公平台 /servlet/ChangeBGServlet 任意文件上传漏洞

2015-09-22T00:00:00
ID SSV:89507
Type seebug
Reporter GurdZain
Modified 2015-09-22T00:00:00

Description

<p>漏洞文件:/servlet/ChangeBGServlet</p><p>漏洞参数:skinName</p><p>影响版本:FE5.5.2及以下版本</p><p>代码片段:<br></p>

``` public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { String savePath = getServletConfig().getServletContext().getRealPath(""); String themeDir = request.getParameter("skinName");//获取参数,未过滤处理 savePath = savePath + File.separator + "login" + File.separator + "theme" + File.separator + themeDir + File.separator + "images" + File.separator;//参数拼接到路径里 String name = "bgimage.jpg"; if (StringUtils.isNotEmpty(themeDir)) { File pathDir = new File(savePath); if (!pathDir.exists()) { pathDir.mkdirs(); } DiskFileItemFactory fac = new DiskFileItemFactory(); ServletFileUpload upload = new ServletFileUpload(fac); upload.setHeaderEncoding("utf-8"); List fileList = null; try { fileList = upload.parseRequest(request);

    Iterator iter = fileList.iterator();

    while (iter.hasNext())

    {

      FileItem item = (FileItem)iter.next();

      if (!item.isFormField())

      {

        File saveFile = new File(savePath + name);//路径+文件名,java可用%00截断

        if (saveFile.exists())

        {

          saveFile.delete();

        }

        item.write(saveFile);

      }

    }
  }

} ```