Moxi159753 Mogu Blog Unauthenticated File Upload Vulnerability

A critical vulnerability allowing unrestricted file uploads has been identified in Moxi159753 Mogu Blog versions 2.0 through 5.2. The issue arises in the file upload functionality of the '/file/pictures' endpoint, which is accessible without authentication. This vulnerability allows attackers to upload arbitrary files, including dangerous types such as HTML, JavaScript, SQL, JSP, and more, to the server. The lack of proper validation and authentication checks creates a significant security risk, as uploaded files can be executed in the context of the victim's browser, leading to cross-site scripting attacks, phishing, malware distribution, and website defacement.

Impact

Exploitation of this vulnerability allows for unauthenticated arbitrary file uploads, with the potential for cross-site scripting (XSS) attacks, website defacement, and distribution of malicious content through the legitimate domain.

Reproduction

To reproduce this vulnerability, send a multipart/form-data POST request to the '/file/pictures' endpoint without authentication. Include the 'source' parameter set to 'picture' to bypass validation. Add fake 'userUid' or 'adminUid' values, and use predictable 'projectName' and 'sortName' values that exist in the database. Upload files with dangerous extensions, such as HTML or JavaScript. The uploaded files will be stored in publicly accessible directories, where they can be accessed via HTTP.

Remediation

It is recommended to implement authentication checks for the file upload endpoint, validate user identities, restrict allowed file types to safe options, and enforce file size limits. Additionally, integrating antivirus scanning for uploaded files and implementing a Content Security Policy can help mitigate the risks associated with this vulnerability.