Headline
CVE-2021-43734: arbitrary file read vulnerability · Issue #304 · kekingcn/kkFileView
kkFileview v4.0.0 has arbitrary file read through a directory traversal vulnerability which may lead to sensitive file leak on related host.
kkFileView arbitrary file read vulnerability
问题描述Description
最近在公司内部渗透测试中发现某处引用的kkFileView 4.0.0存在任意文件读取漏洞,可通过漏洞读取主机任意文件,易造成敏感信息泄漏。
kkFileview v4.0.0 has arbitrary file read vulnerability which may lead to sensitive file leak on related host。
漏洞位置vulerable code location
kkFileView/server/src/main/java/cn/keking/web/controller/OnlinePreviewController.java文件103行,urlPath参数支持file协议
The vulnerable code is located at line 103 in kkFileView/server/src/main/java/cn/keking/web/controller/OnlinePreviewController.java. The value which passed through param urlPath supports file protocol.
/\*\*
\* 根据url获取文件内容
\* 当pdfjs读取存在跨域问题的文件时将通过此接口读取
\*
\* @param urlPath url
\* @param response response
\*/
@RequestMapping(value \= "/getCorsFile", method \= RequestMethod.GET)
public void getCorsFile(String urlPath, HttpServletResponse response) {
logger.info("下载跨域pdf文件url:{}", urlPath);
try {
URL url \= WebUtils.normalizedURL(urlPath);
byte\[\] bytes \= NetUtil.downloadBytes(url.toString());
IOUtils.write(bytes, response.getOutputStream());
} catch (IOException | GalimatiasParseException e) {
logger.error("下载跨域pdf文件异常,url:{}", urlPath, e);
}
}
漏洞证明PoC
官方演示站点为最新4.0.0版本,以此为演示,访问漏洞位置https://file.keking.cn/getCorsFile?urlPath=file:///etc/passwd 可得
The version of official demo site is v4.0.0. Visit https://file.keking.cn/getCorsFile?urlPath=file:///etc/passwd and the concept is proofed.