EasySpider Version 0.6.2 Windows 存在任意文件读取漏洞

[Hebing123]

摘要

EasySpider Version 0.6.2 Windows 存在任意文件读取漏洞，攻击者可以读取EasySpider应用所在磁盘的任意文件而不受访问控制限制，该漏洞将导致严重的敏感信息泄露、系统崩溃等问题。

# Summary
EasySpider Version 0.6.2 for Windows has an arbitrary file read vulnerability. An attacker can read any file on the disk where the EasySpider application is located without access control restrictions. This vulnerability may lead to sensitive information leakage, system crashes, and other issues.

细节

1. 通过输入错误路径来得知EasySpider运行目录的绝对路径。
   
2. 如果运行目录在C盘下（用户一般会放在桌面(C:/Users/%USER%/Desktop/路径下运行，刚好就在系统盘），将会影响系统的安全性。例如：通过POC读取C:/Windows/win.ini。
   同时，攻击者不仅可以读取系统文件，还可以访问存储在 EasySpider\user_data 目录下的用户信息，包括第三方站点的 Cookie 等内容。
   

# Details
1. By inputting an incorrect path, you can determine the absolute path of the EasySpider running directory.
2. If the running directory is under the C drive (users usually run it from the desktop, e.g., C:/Users/%USER%/Desktop/), it will affect system security. For example, you can read C:/Windows/win.ini using a Proof of Concept (POC).
Additionally, attackers can not only read system files but also access user information stored in the `EasySpider\user_data` directory, including cookies from third-party sites.

POC

GET /../../../../../../../../../Windows/win.ini HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,br
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Host: localhost:8074

补丁

修改 \EasySpider\resources\app\server.js 的代码，确保用户提供的路径不包含任何不安全的路径遍历序列。

# Patch
Modify the code in `\EasySpider\resources\app\server.js` to ensure that the provided path does not contain any unsafe path traversal sequences.

const SAFE_BASE_DIR = path.resolve(__dirname, 'src');
···
      const safePath = path.join(SAFE_BASE_DIR, pathName);
  
      if (!safePath.startsWith(SAFE_BASE_DIR)) {
        res.writeHead(400, {"Content-Type": "text/plain"});
        res.end("无效的请求路径");
        return;
      }

[NaiboWang]

非常感谢发现问题，不过这个BUG对于此项目来说不是太大问题，因为默认就是本地运行的软件不经过互联网，如果大型组织和公司想要大规模部署，也不可能用项目本身自带的服务器代码，肯定会写或者集成到自己的带有鉴权的完善的认证系统，所以这个问题对于此项目来说可以忍受。

十分感谢对EasySpider的贡献！

[Hebing123]

Additional Information

Users of EasySpider 0.6.2 who expose port 8074 to the outside are susceptible to attacks. If an attacker is on the same local network as you, they can exploit this vulnerability by scanning IP ranges while your EasySpider is running. Since it is within the same network segment, your port 8074 can be accessed by other users.
The vulnerability may already be actively exploited; it is recommended to apply patches immediately or wait for the next update version.