myMagicPower AIAS Unrestricted File Upload Vulnerability Leading to Remote Code Execution

A critical vulnerability allowing unrestricted file uploads has been identified in mymagicpower AIAS version 20250308. The issue resides in the LocalStorageController.java file, where user-uploaded files are not properly validated before being saved to the server. This flaw enables attackers to upload malicious files, such as web shells, which can be executed to gain control over the server.

Impact

Exploitation of this vulnerability allows for arbitrary file uploads, which can lead to arbitrary code execution on the server.

Reproduction

To reproduce this vulnerability, upload a file through the '/api/localStorage/file' endpoint using a POST request. The file can be a malicious JSP file that, once uploaded, can execute commands on the server.

Remediation

It is recommended to implement file type restrictions and validate file extensions to prevent the upload of malicious files. Additionally, the final storage path for uploaded files should not be based on user-provided file names, to avoid directory traversal vulnerabilities.