Warehouse Management System Arbitrary File Read Vulnerability

An arbitrary file read vulnerability has been identified in the Warehouse Management System version 1.2. The issue arises in the endpoint '/file/showImageByPath', which fails to properly sanitize user-controlled path parameters. This lack of validation allows for directory traversal attacks, enabling an authenticated attacker to read arbitrary files from the server's file system. The vulnerability could be exploited to access sensitive system information.

Impact

Exploitation of this vulnerability allows authenticated attackers to read arbitrary files on the server, potentially leading to the disclosure of sensitive information such as Windows configuration files, application config files, logs, and files containing credentials. This could further facilitate privilege escalation.

Reproduction

To reproduce this vulnerability, an authenticated user can navigate to the Product Management section, select Product Images, and copy the address of an image. The path parameter can then be modified to include directory traversal sequences (../) to escape the upload directory and access sensitive system files, such as 'C:/windows/win.ini'.

Remediation

It is recommended to normalize and canonicalize the path, reject any paths containing '..', block absolute paths, ensure the final path remains within the designated upload directory, and enforce a whitelist for file types when displaying images.