YiFang CMS Unrestricted File Upload Vulnerability in Backend Component

A vulnerability allowing arbitrary file upload has been identified in YiFang CMS versions through 2.0.2. The issue arises in the webUploader function of the file app/app/controller/File.php within the Backend component. This vulnerability can be exploited remotely by manipulating the uploadpath parameter, leading to unrestricted file uploads, potentially including malicious web shells that could be executed to gain server privileges.

Impact

Exploitation of this vulnerability allows for arbitrary file upload, which could be used to upload malicious files such as web shells. If such a web shell is uploaded, it could be executed to gain unauthorized access or control over the server.

Reproduction

To reproduce this vulnerability, log into the affected YiFang CMS version. Access the interface that allows file uploads and use the webUploader function. Manipulate the uploadpath parameter to direct the upload to a location where the uploaded file can be executed, such as a public directory. After uploading a file, it can be accessed through the web server, potentially leading to remote code execution.