NeverStopExploiting用户9473
Path Traversal and Arbitrary File Write Vulnerability in Blossom ≤ 1.17.1
输入“/”快速插入内容
Path Traversal and Arbitrary File Write Vulnerability in Blossom ≤ 1.17.1
Path Traversal and Arbitrary File Write Vulnerability in Blossom ≤ 1.17.1
用户9473用户94732月4日修改
BUG_Author: ChengxinXu
Affected Version: Blossom ≤ 1.17.1
Vulnerability Files:
blossom-backend/backend/src/main/java/com/blossom/backend/server/picture/PictureBlosController.java
blossom-backend/backend/src/main/java/com/blossom/backend/server/picture/PictureService.java
blossom-backend/common/common-iaas/src/main/java/com/blossom/common/iaas/blos/BLOSManager.java
Description:
1. Path Traversal via File Upload (/picture/file/upload)
In the file PictureService.java, the insert() method does not properly validate the filename parameter before constructing the file path. This allows attackers to use path traversal sequences (../) to write files outside the intended upload directory.
Vulnerable Code (PictureService.java:140-203):
代码块
publicreEntity insert(MultipartFile file, String filename, Long pid, Long userId, Boolean repeatUpload) {
// ...
if (StrUtil.isBlank(filename)) {
pic.setName(file.getOriginalFilename());
} else {
pic.setName(filename); // User-controlled input
if (StrUtil.isBlank(FileUtil.getSuffix(filename))) {
pic.setName(filename + "." + pic.getSuffix());
}
}
final String pname = "/" + pic.getName();
if (pid == null || pid <= 0) {
pic.setPathName(rootPath + uid + pname); // Path concatenation without validation
} else {
// ...
pic.setPathName(rootPath + uid + storePath + pname);
}
// ...
osManager.put(pic.getPathName(), inputStream); // Writes to arbitrary location
}
Root Cause (BLOSManager.java:70-75):
代码块
@Override
public String put(String filename, InputStream inputStream) {
File file = FileUtil.newFile(filename); // No path validation!
FileUtil.writeFromStream(inputStream, file);
return getDomain() + filename;
}
An attacker can combine these vulnerabilities overwrite critical application files or system configurations (like cron job)
Proof of Concept:
Prerequisites:
•
Authenticated user account
•
Access to the Blossom application
Step 1: Obtain Authentication Token
代码块
# Login to get authentication token
curl -X POST http://<target-ip>:9999/login \
-H "Content-Type: application/json" \
-d '{
"username": "blos",
"password": "blos",
"grantType": "password",
"clientId": "blossom"
}'