eGovFramework Common Components Unauthenticated File Upload Vulnerability

A file upload vulnerability allowing unauthenticated users to upload files has been identified in eGovFramework/egovframe-common-components, affecting versions through 4.3.1. The vulnerability exists in the image upload endpoints /utl/wed/insertImage.do and /utl/wed/insertImageCk.do, which accept multipart requests without authentication. Uploaded files are stored on the server under a framework-controlled path, and the framework returns a download URL that includes an attacker-controlled Content-Type, within the limits of the image upload functionality. While a filename extension whitelist is enforced, attackers can fully control the file contents. In versions prior to 4.1.2, the response MIME type is also under attacker control when the file is served. This vulnerability allows an unauthenticated attacker to use the application as a persistent file hosting service for arbitrary content under the application's origin.

Impact

Exploitation of this vulnerability allows for unrestricted file uploads, with the potential for uploaded files to be served back to users, including the ability to specify the Content-Type of the response. This could be used to host malicious files that are then executed by the user or the server.