You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Vulnerability description:
The addStudent and editStudent methods in src/main/Java/com/wdd/studentmanager/controller/StudentController. java, as well as the addTeacher and editTeacher methods in src/main/Java/com/wdd/studentmanager/controller/TeacherController. java, do not restrict the file extension and content for uploading. JSP Trojan files and HTML files can be uploaded, but the system has a flaw. After uploading the file, the system needs to be restarted to access it, otherwise the uploaded file cannot be accessed.
Code Audit:
The addStudent and editStudent methods in src/main/Java/com/wdd/studentmanager/controller/StudentController.java, as well as the addTeacher and editTeacher methods in src/main/Java/com/wdd/studentmanager/controller/TeacherController.java, do not restrict the file extension or content of uploaded files
Vulnerability verification:
Select 1 student, click on modify
Upload JSP file
Return file name: a0e565a2-1266-4785-8dd2-3c186d082b18.jsp
Select another student and upload the HTML file
Return file name: bf0695d9-4ff2-44f8-872a-f32e584ade98.html
All have been uploaded to the src\main\resources\static\upload\imgs directory
You need to restart the project first to access the uploaded files
Open directly after restarting: http://192.168.0.102:8080/upload/imgs/bf0695d9 -4ff2-44f8-872a-f32e584ade98.html
However, accessing JSP files can only be downloaded locally: http://192.168.0.102:8080/upload/imgs/a0e565a2 -1266-4785-8dd2-3c186d082b18.jsp
The text was updated successfully, but these errors were encountered:
Source code name:studentmanager
Source code version:1.0
Source code download link:https://github.com/ZeroWdd/studentmanager/archive/refs/heads/master.zip
Vulnerability description:
The addStudent and editStudent methods in src/main/Java/com/wdd/studentmanager/controller/StudentController. java, as well as the addTeacher and editTeacher methods in src/main/Java/com/wdd/studentmanager/controller/TeacherController. java, do not restrict the file extension and content for uploading. JSP Trojan files and HTML files can be uploaded, but the system has a flaw. After uploading the file, the system needs to be restarted to access it, otherwise the uploaded file cannot be accessed.
Code Audit:
The addStudent and editStudent methods in src/main/Java/com/wdd/studentmanager/controller/StudentController.java, as well as the addTeacher and editTeacher methods in src/main/Java/com/wdd/studentmanager/controller/TeacherController.java, do not restrict the file extension or content of uploaded files
Vulnerability verification:
Select 1 student, click on modify
Upload JSP file
Return file name: a0e565a2-1266-4785-8dd2-3c186d082b18.jsp
Select another student and upload the HTML file
Return file name: bf0695d9-4ff2-44f8-872a-f32e584ade98.html
All have been uploaded to the src\main\resources\static\upload\imgs directory
You need to restart the project first to access the uploaded files
Open directly after restarting: http://192.168.0.102:8080/upload/imgs/bf0695d9 -4ff2-44f8-872a-f32e584ade98.html
However, accessing JSP files can only be downloaded locally: http://192.168.0.102:8080/upload/imgs/a0e565a2 -1266-4785-8dd2-3c186d082b18.jsp
The text was updated successfully, but these errors were encountered: