wwwlike vlife Path Traversal Vulnerability Allowing Unauthenticated Arbitrary File Read

A path traversal vulnerability allowing unauthenticated arbitrary file read has been identified in wwwlike vlife versions through 2.0.1. The issue arises in the SysFileApi component, specifically within the create function of the file vlife-base/src/main/java/cn/wwwlike/sys/api/SysFileApi.java. The vulnerability is exploited by manipulating the fileName argument, which leads to unauthorized access to files on the server. This exploitation is made possible by an authentication bypass on the /sysFile/create/ endpoint, allowing attackers to craft malicious file names that traverse directories and access sensitive files, such as the passwd file.

Impact

Exploitation of this vulnerability allows for unauthenticated users to read arbitrary files on the server, potentially leading to the disclosure of sensitive information.

Reproduction

To reproduce this vulnerability, first, send a request to the /sysFile/create/ endpoint with a crafted fileName parameter that includes directory traversal sequences. Once the SysFile object is created, access the /sysFile/image/{id}, /sysFile/pdf/{id}, or /sysFile/download/{id} endpoint using the id of the created object to retrieve the traversed file.