Path Traversal in welliamcao/opsmanage

Valid

Reported on

Nov 15th 2021

漏洞

README.md文件中的nginx配置存在安全漏洞，导致恶意攻击者可以任意读取项目中的文件。

POC

对于github上的demo地址，一种可行的攻击方式为：

http://42.194.214.22:8000/static../

可以看到读取到整个项目的文件。如果用户对该项目进行过二开，并在init.sql，conf/中写入了一些敏感信息，可能造成较大危害

影响

攻击者可以读取项目目录下任意文件

Occurrences

README.md?plain=1 L220

将

location /static {
        expires 30d;
        autoindex on;
        add_header Cache-Control private;
        alias /mnt/OpsManage/static/;
     }

修改为

location /static/ {
        expires 30d;
        autoindex on;
        add_header Cache-Control private;
        alias /mnt/OpsManage/static/;
     }

README.md?plain=1 L230

将

location /media/avatar {
        expires 30d;
        autoindex on;
        add_header Cache-Control private;
        alias /mnt/OpsManage/upload/avatar/;
     }

修改为

location /media/avatar/ {
        expires 30d;
        autoindex on;
        add_header Cache-Control private;
        alias /mnt/OpsManage/upload/avatar/;
     }

We are processing your report and will contact the welliamcao/opsmanage team within 24 hours. 2 years ago

A GitHub Issue asking the maintainers to create a SECURITY.md exists 2 years ago

Cooper submitted a

patch

2 years ago

We have contacted a member of the welliamcao/opsmanage team and are waiting to hear back 2 years ago

William.Cao validated this vulnerability 2 years ago

Cooper has been awarded the disclosure bounty

The fix bounty is now up for grabs

William.Cao marked this as fixed with commit 9cd6b1 2 years ago

William.Cao has been awarded the fix bounty

This vulnerability will not receive a CVE

README.md?plain=1#L230 has been validated

README.md?plain=1#L220 has been validated

to join this conversation