veal98 Echo Unauthenticated Arbitrary File Upload Vulnerability

A critical vulnerability has been identified in veal98 Echo Open Source Community System version 4.2. The issue resides in the uploadMdPic function of the discuss/uploadMdPic file, where the argument editormd-image-file is manipulated to allow unrestricted file uploads. This vulnerability can be exploited remotely, and the details have been disclosed publicly.

Impact

Exploitation of this vulnerability allows for unauthenticated users to upload arbitrary files to the server, potentially leading to further attacks such as remote code execution or uploading malicious files that could be accessed later.

Reproduction

To reproduce this vulnerability, send a POST request to the discuss/uploadMdPic endpoint without authentication. Include a file in the editormd-image-file parameter. The uploaded file will be saved on the server without any extension or permission checks, allowing for the upload of malicious files, such as HTML files containing JavaScript.