thinkgem JeeSite Path Traversal Vulnerability in Connection Handler Component

A path traversal vulnerability has been identified in thinkgem JeeSite versions through 5.15.1. The issue arises from an unknown function in the Connection Handler component, allowing remote attackers to manipulate input and traverse the file system. This vulnerability is characterized by high complexity and difficult exploitability.

Impact

Exploitation of this vulnerability allows for arbitrary file read, where attackers can access sensitive files such as application configuration or system files. Additionally, if certain conditions are met, this vulnerability could lead to remote code execution.

Reproduction

To reproduce this vulnerability, send a POST request to the target application with a crafted JDBC URL that includes dangerous parameters such as allowLoadLocalInfile. If successful, the application will connect to an attacker-controlled MySQL server, allowing the server to read and upload arbitrary local files from the victim machine.

Remediation

Users are advised to disallow user control of JDBC driver class names, remove the ability to input full URLs, and instead accept individual components like host, port, and database. Construct JDBC URLs securely on the backend and implement parameter allowlisting to sanitize or remove harmful parameters. Additionally, ensure that the system user running the Java application has limited file system permissions.