Tmall Demo Unrestricted File Upload Vulnerability in Category Image Upload Function

A critical arbitrary file upload vulnerability has been identified in Tmall Demo versions prior to 20250505. The issue resides in the 'uploadCategoryImage' function within the 'tmall/admin/uploadCategoryImage' file. This vulnerability allows remote attackers to upload malicious files, such as web shells, viruses, and scripts, potentially leading to unauthorized server control or theft of sensitive information. The vulnerability exists due to a lack of proper validation and filtering of file names and contents, allowing for unrestricted file uploads. Additionally, the system's support for JSP parsing could be exploited to execute commands or upload backdoor scripts, according to the vulnerability disclosure.

Impact

Exploitation of this vulnerability allows for arbitrary file uploads, which could be used to upload malicious files such as web shells or viruses. If JSP files are uploaded, they could be executed on the server, potentially leading to command execution or installation of backdoors.

Reproduction

The vulnerability can be reproduced by uploading a file through the 'uploadCategoryImage' interface without any restrictions on file type or content. After the file is uploaded, it can be accessed via a constructed URL that reflects the upload path, allowing for execution of any commands if a JSP file is uploaded, including but not limited to web shell payloads.

Remediation

To address this vulnerability, it is recommended to implement strict file upload controls by allowing only specific file types, such as images or documents, and verifying file headers. Additionally, the permissions of the upload directory should be restricted to prevent script execution, uploaded files should be renamed randomly to avoid predictable paths, and uploaded content should be scanned for malicious code.