Zhenfeng13 My-Blog Unrestricted File Upload Vulnerability

A critical vulnerability allowing unrestricted file uploads has been identified in Zhenfeng13 My-Blog version 1.0. The issue resides in the upload function of the uploadController.java file, where uploaded files are not properly restricted. This flaw enables remote attackers to upload potentially malicious files, such as JSP web shells, which could be executed on the server.

Impact

Exploitation of this vulnerability allows for arbitrary file uploads, including the upload of executable web shell files, which could be executed on the server.

Reproduction

To reproduce this vulnerability, upload a file through the application's file upload feature in the admin panel. The uploadController.java file does not implement any restrictions on the types of files that can be uploaded. After uploading a file, it can be accessed and executed on the server, demonstrating the successful exploitation of the vulnerability.