Xiaowei1118 Java_Server Path Traversal Vulnerability in File Upload API
Vulnerability
A critical path traversal vulnerability has been identified in the Xiaowei1118 Java_Server application, specifically in the File Upload API within the FoodController.java file. This vulnerability, present in versions up to 11a5bac8f4ba1c17e4bc1b27cad6d24868500e3a on Windows, allows for arbitrary file deletion by manipulating file paths. The issue arises from inadequate validation of external parameters in the file deletion process, enabling exploitation through remote attacks.
Impact
Exploitation of this vulnerability allows for arbitrary file deletion on the server where the application is running.
Reproduction
To reproduce this vulnerability, log into the application and obtain a session cookie. Then, use the upload image API to upload a file while including a path traversal payload in the 'img' parameter. The payload should be crafted to navigate out of the intended directory and into a location where a target file can be deleted. After the request is processed, the targeted file will be removed, demonstrating the successful exploitation of the path traversal vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.