In the Web site program code security detection, Web site file Arbitrary view vulnerability in the entire site Security report is a relatively high-risk site vulnerability, the general website will contain this vulnerability, especially the platform, mall, interactive sites more, like the normal permissions bypass the vulnerability, The result is to be able to view any file on the site, and even view the site's configuration file config.php conn.php and so on.
We sine security companies in the Gitea Open source code for Web site security detection, found that there is a Web site file arbitrary view vulnerability, no authorization of any user's account can be over-privileged to create Gitea LFS objects, This object is popular to use the Gitea code to write a third-party API excuse, access, can achieve the following functions: Read files, upload files, column directory, and so on some read and write separation operations. Where API Lee's OID is a value of the Gitea object, this value is a hash, in the process of front-end input does not have its ID value and security filtering, resulting in the ability to insert arbitrary characters into the backend of the server, resulting in the ability to perform a vulnerability to view the file. We're on site. To restore the use of vulnerability:
First post data in the past, post to the address of the/vulhub folder under the Repo.git directory/info/lfs/objects file.
Such as:
Our post data in the past can be used in the OID value to insert some of the code to view the Web site files, but the vulnerability is a prerequisite, that is, gitea default open access, and then create the Gitea object, will be created to bypass permissions to view the file of the vulnerability, The reason for public access is that the Gitea object that was previously created will not take effect until it is exposed, and then check to see if the current user has permission to access the LFS object. We see that after the post sends the data, the returned packet is 200 state, that is, the Gitea object has been successfully created, the oid= value written in our post data is ... /.. /ETC/PASSWD, this code means to view the Linux user password file under the ETC folder in the system root directory.
Next we will look at the contents of this/etc/passwd file, how to view this password file? We
To commit with GET, we edit the URL:
/vulhub/repo.git/info/lfs/objects/[..... /.. /etc/passwd]/sth, and then open the Chinaz URL encoding tool to encode a bit, we can, we get submit access to see the contents of the/etc/passwd file.
So how did the site's vulnerability arise?
Let's look at the program source code for Gitea, Find the Meta.oid value in the code is called the Transformkey function, the function is to convert the OID value into other encoding, resulting in the word character content can be arbitrarily written, there is no length limit, text limit, when we post the OID value changed to ... /.. When you/etc/passwd, you can directly transfer the file and read it.
Site Bug Fix Recommendations:
Upgrade the version of Gitea as soon as possible, and do a good job to secure the site, post packet security filtering, if conditional, deploy the Get post firewall, the get post data submitted by the security filter, when found to view system files, such as:/etc/ passwd please filter the Intercept directly and return to the 301 status.
How to find web site Vulnerability Files Arbitrary view vulnerability details and utilization