PerfreeBlog File Upload Vulnerability in Version 4.0.11

A file upload vulnerability allowing arbitrary file uploads has been identified in PerfreeBlog version 4.0.11. This vulnerability arises in the 'installPlugin' function, where uploaded files are first stored in a temporary directory. The issue is exacerbated by the possibility of directory traversal, allowing uploaded files to be saved outside the intended directory, potentially overwriting existing files. Exploiting this vulnerability could lead to remote code execution by overwriting specific Java files.

Impact

Exploitation of this vulnerability allows for arbitrary file uploads, with the potential to overwrite existing files and execute uploaded Java files, leading to remote code execution.

Reproduction

To reproduce this vulnerability, log into the PerfreeBlog admin panel and navigate to the Plugin Management section. Once there, use the file upload feature to upload a file through the 'installPlugin' API endpoint. The uploaded file can be a Java file, taking advantage of directory traversal to save it in a location that overwrites an existing file. After uploading, the file can be executed, resulting in remote code execution.