kkFileView icon indicating copy to clipboard operation
kkFileView copied to clipboard

Published 20 hours ago verified publisher icon kekingcn

arbitrary file read vulnerability

Open Cynthrial opened this issue 3 years ago • 3 comments

kkFileView arbitrary file read vulnerability

问题描述Description

最近在公司内部渗透测试中发现某处引用的kkFileView 4.0.0存在任意文件读取漏洞,可通过漏洞读取主机任意文件,易造成敏感信息泄漏。

kkFileview v4.0.0 has arbitrary file read vulnerability which may lead to sensitive file leak on related host。

漏洞位置vulerable code location

kkFileView/server/src/main/java/cn/keking/web/controller/OnlinePreviewController.java文件103行,urlPath参数支持file协议

The vulnerable code is located at line 103 in kkFileView/server/src/main/java/cn/keking/web/controller/OnlinePreviewController.java. The value which passed through param urlPath supports file protocol.

    /**
     * 根据url获取文件内容
     * 当pdfjs读取存在跨域问题的文件时将通过此接口读取
     *
     * @param urlPath  url
     * @param response response
     */
    @RequestMapping(value = "/getCorsFile", method = RequestMethod.GET)
    public void getCorsFile(String urlPath, HttpServletResponse response) {
        logger.info("下载跨域pdf文件url:{}", urlPath);
        try {
            URL url = WebUtils.normalizedURL(urlPath);
            byte[] bytes = NetUtil.downloadBytes(url.toString());
            IOUtils.write(bytes, response.getOutputStream());
        } catch (IOException | GalimatiasParseException e) {
            logger.error("下载跨域pdf文件异常,url:{}", urlPath, e);
        }
    }

漏洞证明PoC

官方演示站点为最新4.0.0版本,以此为演示,访问漏洞位置https://file.keking.cn/getCorsFile?urlPath=file:///etc/passwd 可得

The version of official demo site is v4.0.0. Visit https://file.keking.cn/getCorsFile?urlPath=file:///etc/passwd and the concept is proofed.

Cynthrial avatar Nov 14 '21 13:11 Cynthrial

谢谢 指点

gaoxingzaq avatar Nov 15 '21 00:11 gaoxingzaq

@RequestMapping(value = "/getCorsFile", method = RequestMethod.GET) public void getCorsFile( HttpServletRequest request, HttpServletResponse response) { String query = request.getQueryString(); query = query.replace("%20", " "); try { query = URLDecoder.decode(query, "UTF-8"); } catch (UnsupportedEncodingException e) { e.printStackTrace(); } String urlPath = query.replaceFirst("urlPath=",""); urlPath = urlPath.replaceFirst("&disabledownload=true",""); if (urlPath == null || urlPath.toLowerCase().startsWith("file") || !urlPath.toLowerCase().startsWith("http")) { logger.info("读取跨域文件异常", urlPath); }else { logger.info("读取跨域文件url:{}", urlPath); try { URL url = WebUtils.normalizedURL(urlPath); byte[] bytes = NetUtil.downloadBytes(url.toString()); IOUtils.write(bytes, response.getOutputStream()); } catch (IOException | GalimatiasParseException e) { logger.error("读取跨域文件异常,url:{}", urlPath, e); } } }

gaoxingzaq avatar Nov 17 '21 07:11 gaoxingzaq

修复没

gps1949 avatar Sep 13 '22 02:09 gps1949

请问这个漏洞修复成功了吗

pengfan8080 avatar Nov 09 '23 02:11 pengfan8080

已经修复了

gaoxingzaq avatar Nov 27 '23 01:11 gaoxingzaq