Moxi159753 Mogu Blog Path Traversal Vulnerability in ZIP File Handler

A path traversal vulnerability has been identified in Moxi159753 Mogu Blog versions 2.0 through 5.2. The issue resides in the ZIP File Handler component, specifically within the FileOperation.unzip method. This vulnerability allows authenticated attackers with network disk access to manipulate the fileUrl argument, leading to unauthorized file writes on the server filesystem. The flaw can be exploited remotely, and a public exploit is available.

Impact

Exploitation of this vulnerability allows for arbitrary file writes to any location on the server where the application process has write permissions. This could lead to overwriting critical application files or configuration, deploying web shells, or even remote code execution, depending on the files written and the application's environment.

Reproduction

To reproduce this vulnerability, upload a malicious ZIP file containing path traversal sequences (such as '../../../../etc/cron.d/malicious') to the network disk. Then, use the /networkDisk/unzipFile endpoint to extract the ZIP file. The application will write the files to the specified locations, bypassing the intended directory restrictions.