hayageek opened a new pull request, #1432:
URL: https://github.com/apache/wicket/pull/1432
## Path Traversal via Unsanitized Filename and Upload ID in
FolderUploadsFileManager
| Attribute | Value |
|-----------|-------|
| **Severity** | Critical |
| **CVSS 3.1** | 9.1 — `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N` |
| **CWE** | CWE-22: Improper Limitation of a Pathname to a Restricted
Directory ('Path Traversal') |
## Summary
`FolderUploadsFileManager` in Apache Wicket does not validate or sanitize
the `uploadFieldId` parameter or the `clientFileName` before constructing file
paths, allowing an unauthenticated attacker to write arbitrary files outside
the intended upload directory or read files from arbitrary locations on the
server.
## Description
- **Type**: Path Traversal — Arbitrary File Write / Arbitrary File Read
- **Source**: HTTP multipart upload request. The `uploadId` query parameter
flows into `save()` as `uploadFieldId` (line 66). The `clientFileName` in
`getFile()` comes from client-controlled JSON in the AJAX callback
(`UploadInfo.fromJson()`).
- **Sink (Write)**: `FolderUploadsFileManager.save()` at line 66–70:
```java
File uploadFieldFolder = new File(getFolder(), uploadFieldId); // line 66
— unsanitized
uploadFieldFolder.mkdirs();
IOUtils.copy(fileItem.getInputStream(),
new FileOutputStream(new File(uploadFieldFolder,
fileItem.getClientFileName()))); // line 70
```
- **Sink (Read)**: `FolderUploadsFileManager.getFile()` at line 81:
```java
return new File(new File(getFolder(), uploadFieldId), clientFileName); //
unsanitized
```
- **Impact**: An attacker can write arbitrary files anywhere on the
filesystem that the application server process has write access to. This
enables remote code execution (e.g., writing JSP webshells), configuration
tampering, or denial of service. The `getFile()` method also permits reading
arbitrary files when the attacker manipulates the `clientFileName` in the AJAX
response JSON.
### Attack Vectors
1. **uploadFieldId traversal**: The `uploadId` HTTP query parameter is
passed directly to `new File(getFolder(), uploadFieldId)` without validation.
An attacker sends `?uploadId=../../webapps/ROOT` to write files into the web
root.
2. **clientFileName traversal via getFile()**: The `clientFileName` field in
the AJAX `filesInfo` JSON is deserialized by `UploadInfo.fromJson()` and passed
to `getFile()` without sanitization, allowing path traversal reads.
3. **clientFileName traversal via save()**: While
`FileUpload.getClientFileName()` strips `/` and `\` path separators, the
`FolderUploadsFileManager` class has no defense-in-depth. Any caller or
subclass providing an unsanitized filename bypasses the intended protection.
## Affected
- **Package**: `org.apache.wicket:wicket-core`
- **File**:
`wicket-core/src/main/java/org/apache/wicket/markup/html/form/upload/resource/FolderUploadsFileManager.java`
- **Lines**: 66–70 (save), 79–82 (getFile)
- **Introduced**: When `FolderUploadsFileManager` was added
For POC, check here:
https://gist.github.com/hayageek/3dda5923bbda483954dd84cfb5651534
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
