FE协作办公平台 /servlet/ChangeBGServlet 任意文件上传漏洞

- AV AC AU C I A
发布: 2025-04-13
修订: 2025-04-13

<p>漏洞文件:/servlet/ChangeBGServlet</p><p>漏洞参数:skinName</p><p>影响版本:FE5.5.2及以下版本</p><p>代码片段:<br></p> ``` public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { String savePath = getServletConfig().getServletContext().getRealPath(""); String themeDir = request.getParameter("skinName");//获取参数,未过滤处理 savePath = savePath + File.separator + "login" + File.separator + "theme" + File.separator + themeDir + File.separator + "images" + File.separator;//参数拼接到路径里 String name = "bgimage.jpg"; if (StringUtils.isNotEmpty(themeDir)) { File pathDir = new File(savePath); if (!pathDir.exists()) { pathDir.mkdirs(); } DiskFileItemFactory fac = new DiskFileItemFactory(); ServletFileUpload upload = new ServletFileUpload(fac); upload.setHeaderEncoding("utf-8"); List fileList = null; try { fileList = upload.parseRequest(request); Iterator iter = fileList.iterator(); while (iter.hasNext()) { FileItem item = (FileItem)iter.next(); if...

0%
暂无可用Exp或PoC
当前有0条受影响产品信息