Uploaded image for project: 'ZK'
  1. ZK
  2. ZK-5150

Vulnerability in zk upload

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: 9.6.1
    • Fix Version/s: 9.6.2
    • Component/s: None
    • Security Level: Jimmy
    • Labels:

      Description

      Secure versions

      This vulnerability is resolved in versions:

      • 9.6.2
      • 9.6.0.2 (security release)
      • 9.5.1.4 (security release)
      • 9.0.1.3 (security release)
      • 8.6.4.2 (security release)

      Workaround

      download attached classes, and add them to application in their declared package.

      register in zk.xml

      	<listener>
      	    <listener-class>org.zkoss.support.patch.AuUploadWebAppInit</listener-class>
      	</listener>
      	
      	<system-config>
      		<file-item-factory-class>org.zkoss.support.patch.UploadFixItemFactory</file-item-factory-class>
      	</system-config>
      

      Vulnerability details

      Thanks to Markus Wulftange of Code White GmbH for discovering and reporting this issue, as well as cooperating with us in its resolution.

       

      ZK AuUploader servlets contains a security vulnerability which can be exploited to retrieve the content of a file located in the web context. This includes files normally hidden from the user located in WEB-INF, such as web.xml, zk.xml, etc.

      In the unsecure versions, an attacker may send a forged request to the /zkau/upload endpoint.
      If the forged request contains the nextURI parameter, the AuUploader will try to forward the request internally, and output the document found if any into the response.

      Since this is an internal forward, it can access documents located in restricted WEB-INF folder, which exposes internal files such as web.xml, zk.xml and other files located in this directory.

      This vulnerability affects ZK versions below the secure version list provided above.

      The secure list contains security releases for ZK branches from 8.6.X up to 9.6.0.X, and the main release 9.6.2

        Attachments

          Activity

            People

            Assignee:
            DevChu DevChu
            Reporter:
            hawk hawk
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: