HuoCMS File Upload Vulnerability Allowing Server Control
Vulnerability
A file upload vulnerability has been identified in HuoCMS versions through 3.5.1. This issue allows attackers to upload files that could be used to take control of the target server. The vulnerability arises in the 'sliceUploadAndSave' method of 'AttachmentController.php', where the 'resource_temp_path' parameter can be manipulated to traverse directories and write files to arbitrary locations with controlled filenames. Exploitation requires logging into the backend with a token.
Impact
Exploitation of this vulnerability could lead to unauthorized file uploads, potentially allowing for remote code execution or other malicious activities on the server.
Reproduction
To reproduce this vulnerability, log into the HuoCMS backend with a valid token. Once authenticated, send a POST request to the '/attachment/sliceUploadAndSave' endpoint. Include the 'resource_temp_path' parameter with a value that traverses directories (using '../') to create a folder in the 'public/storage/image' directory. The 'chunk_index' parameter can be used to control the filename of the uploaded file. After the file is uploaded, it can be accessed through the 'storage/image' directory on the server.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.