Wander-Chu SpringBoot-Blog Unrestricted File Upload Vulnerability in Admin Attachment Handler
Vulnerability
A critical vulnerability allowing unrestricted file uploads has been identified in Wander-Chu SpringBoot-Blog version 1.0. The issue resides in the Admin Attachment Handler, specifically within the upload function of the AttachController. The vulnerability can be exploited remotely by manipulating the file upload argument, allowing the direct upload of JSP and HTML files that could contain malicious payloads.
Impact
Exploitation of this vulnerability could lead to arbitrary file uploads, including the potential execution of uploaded JSP files on the server.
Reproduction
To reproduce this vulnerability, access the admin attachment upload page. Use the upload function to send a file named 'calc.jsp' containing a payload that executes a command, such as opening the calculator application. The request must be made with the appropriate headers to simulate a genuine file upload, including the 'Content-Type' set to 'multipart/form-data' and the 'Cookie' header containing a valid session ID.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.