Halo Blog CMS1.4.17 Fileupload without file type authentication

[ziping21]

是什么版本出现了此问题？

1.4.17

使用的什么数据库？

MySQL 5.7

使用的哪种方式部署？

Fat Jar

在线站点地址

https://demo.halo.run/admin/index.html#/comments

发生了什么？

The vulnerability can lead to the upload of arbitrary malicious script files.

相关日志输出

no

附加信息

Black-box penetration：

1. Use (demo:P@ssw0rd123...) to login in https://demo.halo.run/admin ,and then find the attachment upload feature ,try to upload a random image.

2. While uploading a random image, use burp suite to catch the request packet and forward it to the Repeater module.

3. You can tell we successfully uploaded the image from the screenshot below . And we can also get the path of the image accordding to the response.

4. Now we want to use the feature again. This time ,try to change the file suffix and modify the file content at the same time. After doing that , send the request again. And the upload is still successful , the file path is also returned.

5. Now try to access the file path within the url below,and our xss payload successfully executed

6. Screenshots of other file types uploaded are as follows：

Source code review： Try to download the source code for source code security analysis https://github.com/halo-dev/halo/releases/tag/v1.4.17（Latest version 1.4.17）

7. Check the source code and locate the class src\main\java\run\halo\app\controller\admin\api\AttachmentController.java According to the annotations of this class, you can find that all requests to the path /api/admin/attachments will access this class.

8. The /upload path accessed by the upload interface will access the uploadAttachment method of this class.

9. As you can see, this method receives the file from the client side, then passes the file object as an argument to the upload() method of the AttachmentServiceImpl class and executes it, and then executes the result as an argument to the convertToDto() method of the AttachmentServiceImpl class.
10. So let's follow up on the upload() method first after locating the src\main\java\run\halo\app\service\impl\AttachmentServiceImpl.java class and dive into the upload() method

11. You can see that the code does not have any file suffix checksum, and finally the upload() method will return a create(attachment) object, continue to follow up to the create() method, you can see that an Attachment class object is returned, and there is no file checksum.

12. The returned object is entered as an argument to the convertToDto() method of the src\main\java\run\halo\app\service\impl\AttachmentServiceImpl.java class, in which you can see that the code writes the path of the uploaded file to the AttachmentDTO instance object, and it can be found that there is no logic of permission checking, and finally the method returns an AttachmentDTO instance object.

13. When the file path is set, this information will be brought into the response packet and eventually fed back to the client, so we can successfully access the uploaded file in the response packet based on this path information。
14. According to the analysis of the above code, we can see that there is no logic in the code to check the file suffix, file content and file format, so it can lead to arbitrary file upload。

[ruibaby]

We will provide the setting to allow file extensions to be uploaded in 2.0, thank you for your feedback.