任意文件上传漏洞 #175
Comments
|
非常感谢 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
|
非常感谢 |
您好:
360代码卫士团队在lemon中发现了任意文件上传漏洞,详细信息如下:
在CdnController.java文件中,存在文件上传的功能
调用了CdnUtils中的copyMultipartFileToFile方法,但是方法中只对文件上传的文件名是否还有../做了判断并没有对文件类型和spaceName参数做判断,所以依然是可以上传任意文件并且通过spaceName来进行路径回溯
The text was updated successfully, but these errors were encountered: