Skip to content

Moss has a file upload vulnerability #16

New issue
New issue
Open
Open
Moss has a file upload vulnerability#16
@zhuo21hh

Description

@zhuo21hh
zhuo21hh
opened on Jun 18, 2025

Summary

Version 0.1.5 of Mosss has a file upload vulnerability. Attackers can upload files of any extension to any location on the target server.
Vulnerability route:
/admin/api/config/upload
/admin/api/upload

Details

POST /admin/api/config/upload HTTP/1.1
Host: xxx
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:139.0) Gecko/20100101 Firefox/139.0
Accept: application/json, text/plain, */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Content-Type: application/json
token: xxx
Content-Length: 427
Origin: http://10.4.3.70:13704


{"domain":"/upload/","path_format":"","name_format":"","storage":{"active":"local","driver":{"local":{"path":"../"},"ftp":{"host":"","port":"21","name":"","password":"","timeout":0},"b2":{"keyID":"","appKey":"","bucket":""},"cos":{"bucketURL":"","secretID":"","secretKey":""},"oss":{"endpoint":"","accessKeyID":"","accessKeySecret":"","bucket":""},"s3":{"endpoint":"","region":"","bucket":"","accessKey":"","secretKey":""}}}}

There is a "upload" function configuration in the system's background, which allows for the configuration of the path and name information after file upload. It is possible to modify the "path" and "name" fields in the request package to be empty, and use the relative path "../" for path traversal. Moreover, the backend does not verify the file extension after the upload, so it is possible to traverse the path and upload any format of files.

Image
The request package for uploading the configuration is as follows:

Image
Call the file upload interface and upload the file 123456.ini:

Image
The uploaded file is uploaded across directories to the user's directory.

Image
It is also possible to modify the "path" value to a drive letter to enable cross-drive file uploads:

Image

Image

Image

Code

route:

Image
controller:

Image
Follow up on the uploadFunc() function:

Image
Follow-up on the upload.Upload() method:

Image
The NewResult() function is used to handle the configuration for the upload function, renaming the uploaded file name and adding the prefix path operation.

Image
It can be seen that when the "Path" field or "Name" field configuration in the configuration does not match the case conditions, the path and file name of the uploaded file by the user will not be processed! :

Image

Image

Image
Back to the previous level, the method config.Config.Upload.Storage.ActiveDriver() is used to obtain the "path" value from the upload configuration.

Image
Then, the method store.Set(res.FullPath, val) is called to concatenate the "path" value with the file path FullPath to form the final path for file upload.

Image

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions