ProudMuBai GoFilm Unrestricted File Upload Vulnerability

A vulnerability allowing arbitrary file uploads has been identified in ProudMuBai GoFilm versions 1.0.0 and 1.0.1. The issue arises in the SingleUpload function within the file FileController.go, where uploaded files are not properly validated, leading to unrestricted file upload capabilities. This vulnerability can be exploited remotely, and a public exploit is available.

Impact

Exploitation of this vulnerability allows for unrestricted file uploads, which could be used to upload malicious files that are processed within the application's environment. This could potentially lead to further attacks, such as executing uploaded files if the application allows it.

Reproduction

To reproduce this vulnerability, send a POST request to the /manage/file/upload endpoint. Include an auth-token in the request headers. The request must be multipart/form-data, with the file parameter set to the desired file. The absence of file type validation in the SingleUpload function will result in the file being uploaded without restriction.