lsFusion Path Traversal Vulnerability in UploadFileRequestHandler Allowing Arbitrary File Upload
Vulnerability
A path traversal vulnerability has been identified in the lsFusion platform in versions through 6.1. The issue arises in the UploadFileRequestHandler, where the sid parameter is not properly validated before being appended to the upload directory path. This lack of validation, combined with unrestricted file names, enables attackers to upload JSP files to a directory accessible via the web. Such an upload could be exploited to execute remote code on the server.
Impact
Exploitation of this vulnerability allows for arbitrary file uploads, which can lead to remote code execution on the server by uploading a malicious JSP file and accessing it through the web.
Reproduction
To reproduce this vulnerability, access the /uploadFile API and upload a file named shell.jsp. Manipulate the sid parameter to traverse directories and place the file in a web-accessible location. After uploading, the JSP file can be accessed and executed, resulting in remote code execution.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.