Warehouse Management System Arbitrary File Deletion Vulnerability

An authenticated arbitrary file deletion vulnerability exists in Warehouse Management System version 1.2. The vulnerability arises in the /goods/deleteGoods endpoint, where the user-controlled goodsimg parameter is concatenated with the server's UPLOAD_PATH and passed to the File.delete() method without proper validation. This flaw allows remote authenticated attackers to delete arbitrary files on the server by exploiting directory traversal payloads.

Impact

Exploitation of this vulnerability allows authenticated users to delete any file on the server's filesystem, including system configuration files, application files, uploaded data, and log files. Deleting critical system files could lead to a denial-of-service condition or a complete breakdown of the application.

Reproduction

To reproduce this vulnerability, send a POST request to the /goods/deleteGoods endpoint with a goodsimg parameter that includes a directory traversal payload, such as ../a.txt. Ensure that the JSESSIONID cookie is included to authenticate the request. The file specified in the goodsimg parameter will be deleted if the server has permission to remove it.

Remediation

It is recommended to implement path normalization to block traversal, reject absolute paths, and enforce file deletion only within a designated whitelist directory. Additionally, validate that the file is genuinely associated with the corresponding goods entry and consider using server-side file ID mapping instead of direct path references.