CVE-2021-21234 spring-boot-actuator-logview Directory traversal vulnerability

CVE-2021-21234 spring-boot-actuator-logview Directory traversal vulnerability
搭建环境:
https://github.com/cristianeph/vulnerability-actuator-log-viewer

启动之后访问 http://localhost:8887/manage/log/

漏洞,根据目录遍历找到/etc/passwd

漏洞分析:

根据日志发现/log/view 对应的方法为eu.hinsch.spring.boot.actuator.logview.LogViewEndpoint.view

查看代码:
  @RequestMapping("/view")
    public void view(@RequestParam String filename,
                     @RequestParam(required = false) String base,
                     @RequestParam(required = false) Integer tailLines,
                     HttpServletResponse response) throws IOException {
        securityCheck(filename); 
        response.setContentType(MediaType.TEXT_PLAIN_VALUE);

        Path path = loggingPath(base);
        FileProvider fileProvider = getFileProvider(path);
        if (tailLines != null) {
            fileProvider.tailContent(path, filename, response.getOutputStream(), tailLines);
        }
        else {
            fileProvider.streamContent(path, filename, response.getOutputStream());
        }
    }
首先对filename进行检查,判断文件名是否有..

然后获取日志路径,将application.properties中logging.path和base拼接
 生成fileProvider  然后调用 streamContent
     将path和base拼接,然后用fileinputstream打开,造成任意文件读取   
发表评论 / Comment

提示:本文章评论功能已关闭