Wangl1989 MySiteForMe Unrestricted File Upload Vulnerability in LocalUploadServiceImpl

A critical vulnerability allowing arbitrary file upload has been identified in Wangl1989 MySiteForMe version 1.0. The issue resides in the LocalUploadServiceImpl file, where the upload function fails to properly validate file types. This flaw enables remote attackers to upload malicious JSP or HTML files, potentially leading to the execution of harmful scripts on the server.

Impact

Exploitation of this vulnerability allows for arbitrary file upload, with the potential for uploaded files to be executed as scripts, depending on the server configuration.

Reproduction

To reproduce this vulnerability, access the file upload interface and upload an image file. After the upload, intercept the request and change the file extension to JSP or HTML. Once the modified file is uploaded, it can be accessed through the server's static upload directory, where it will be executed as a script.

Remediation

Users are advised to update to the latest version of MySiteForMe, where this vulnerability has been addressed.