Path Traversal in welliamcao/opsmanage

Valid

Reported on

Nov 15th 2021


漏洞

README.md文件中的nginx配置存在安全漏洞,导致恶意攻击者可以任意读取项目中的文件。

POC

对于github上的demo地址,一种可行的攻击方式为:

http://42.194.214.22:8000/static../

可以看到读取到整个项目的文件。如果用户对该项目进行过二开,并在init.sqlconf/中写入了一些敏感信息,可能造成较大危害

影响

攻击者可以读取项目目录下任意文件

Occurences

location /static {
        expires 30d;
        autoindex on;
        add_header Cache-Control private;
        alias /mnt/OpsManage/static/;
     }

修改为

location /static/ {
        expires 30d;
        autoindex on;
        add_header Cache-Control private;
        alias /mnt/OpsManage/static/;
     }

location /media/avatar {
        expires 30d;
        autoindex on;
        add_header Cache-Control private;
        alias /mnt/OpsManage/upload/avatar/;
     }

修改为

location /media/avatar/ {
        expires 30d;
        autoindex on;
        add_header Cache-Control private;
        alias /mnt/OpsManage/upload/avatar/;
     }
We are processing your report and will contact the welliamcao/opsmanage team within 24 hours. 13 days ago
Dig2 submitted a
13 days ago
We have contacted a member of the welliamcao/opsmanage team and are waiting to hear back 12 days ago
William.Cao validated this vulnerability 11 days ago
Dig2 has been awarded the disclosure bounty
The fix bounty is now up for grabs
William.Cao confirmed that a fix has been merged on 9cd6b1 11 days ago
William.Cao has been awarded the fix bounty
README.md?plain=1#L230 has been validated
README.md?plain=1#L220 has been validated