Wildfire 存在 UploadFileAction 中的任意文件上传漏洞，通过目录遍历实现

该目录遍历漏洞的潜在影响非常严重。攻击者可以利用此漏洞绕过文件上传验证，通过构造包含 '../' 等目录遍历序列的恶意文件名，访问服务器文件系统中的任意文件。这可能包括配置文件、源代码、数据库备份或其他包含敏感信息的关键文件。攻击者可以窃取凭据、修改系统配置，甚至执行远程代码，从而对系统造成严重破坏。由于 Wildfire IM Server 通常用于即时通讯和实时音视频通信，因此该漏洞可能导致用户数据泄露和通信内容被窃听。

Organizations using Wildfire IM Server in production environments, particularly those with publicly accessible file upload endpoints, are at risk. Environments with limited security controls or inadequate input validation are especially vulnerable. Shared hosting environments where multiple users share the same server instance could also be affected, as a compromised user account could potentially be used to exploit this vulnerability.

• linux / server: Monitor access logs for requests containing ../ sequences in the filename parameter during file uploads. Use grep to search for patterns like /fs?file=../ in the access logs.

grep '/fs?file=../' /var/log/apache2/access.log

• generic web: Use curl to attempt a file upload with a malicious filename and observe the server's response. Check for unexpected file access or errors.

curl -F "file=../../../../etc/passwd;" http://your-wildfire-server/fs

• generic web: Examine the server's file system for unexpected files appearing outside of the intended upload directory. Use file system auditing tools to track file creation and modification events.

1. 2026-02-02Disclosure

   disclosure

1. 已保留2025-12-02
2. 发布日期2026-02-02
3. 修改日期2026-02-03
4. EPSS 更新日期2026-03-23

最有效的缓解措施是立即将 Wildfire IM Server 升级至 1.4.3 版本或更高版本。如果无法立即升级，可以考虑以下临时缓解措施：首先，限制文件上传功能的可访问性，仅允许授权用户上传文件。其次，实施严格的文件名验证，过滤掉包含 '../' 或其他目录遍历序列的文件名。第三，配置 Web 应用防火墙 (WAF) 或代理服务器，以拦截包含恶意目录遍历序列的请求。最后，监控文件上传日志，及时发现和响应可疑活动。