There is a security problem with admin route verification, which leads to direct access without login
Siebene opened this issue · comments
Siebene@ commented
For post requests, you only need to configure the X-CSRF-TOKEN request header and the corresponding session
Therefore, an attacker can directly modify the template file to get rce.
And the template engine does not open the sandbox. it makes it particularly easy for attackers.
Just need to set the parameter content to
#set(in=new java.io.InputStreamReader(java.lang.Runtime::getRuntime().exec('xxx').getInputStream()))#set(buf=new java.io.BufferedReader(in))
Then visit the page.
(At the same time, this route /admin/api/template/save
has a arbitrary file read)
Env:
Win10
JDK8u261
tale v2.0.5