UEditor contains an arbitrary file upload vulnerability. An attacker can upload arbitrary files to the server, which in turn can be used to make the application execute file content as code, As a result, an attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
PoC代码[已公开]
id: ueditor-file-upload
info:
name: UEditor - Arbitrary File Upload
author: princechaddha
severity: high
description: UEditor contains an arbitrary file upload vulnerability. An attacker can upload arbitrary files to the server, which in turn can be used to make the application execute file content as code, As a result, an attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://zhuanlan.zhihu.com/p/85265552
- https://www.freebuf.com/vuls/181814.html
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.8
cwe-id: CWE-434
metadata:
max-request: 1
tags: ueditor,fileupload,intrusive,vuln
http:
- method: GET
path:
- "{{BaseURL}}/ueditor/net/controller.ashx?action=catchimage&encode=utf-8"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "没有指定抓取源"
part: body
# digest: 4a0a004730450220396f97b2adc2cd19e5f9128fda595fc9dc849131c22626f6a66de58265e441cc022100b318fe2495b418e732c6f4fec0f96e438ff7952eb5d2361740edfd4570ed8224:922c64590222798bb761d5b6d8e72950