Tmall Demo Unrestricted File Upload Vulnerability in Image Upload Function

A critical arbitrary file upload vulnerability has been identified in Tmall Demo versions prior to 20250505. The issue resides in the 'uploadProductImage' function within 'tmall/admin/uploadProductImage'. This vulnerability allows remote attackers to upload malicious files, such as web shells, viruses, and scripts, potentially leading to server control or sensitive information theft. The vulnerability arises from a lack of file content and name validation, enabling unrestricted file uploads. Exploitation is possible by uploading a JSP file containing executable code, which can then be accessed and executed on the server.

Impact

Successful exploitation allows for arbitrary file uploads, with the potential to execute uploaded JSP files as commands on the server, including but not limited to web shell payloads.

Reproduction

To reproduce this vulnerability, upload a file through the 'tmall/admin/uploadProductImage' interface without any restrictions on file type or content. The system currently supports JSP file parsing, allowing the execution of commands by embedding them within the uploaded JSP file. After uploading, the file can be accessed via a path that varies based on the file type, executed commands will be processed on the server.

Remediation

Implement strict file type restrictions on uploads, allowing only specific formats such as images or documents. Validate file headers to ensure compliance with allowed types. Restrict execution permissions on upload directories to prevent script execution. Rename uploaded files to random names to avoid predictable paths and scan files for malicious content before processing.