yzcheng90 X-SpringBoot Path Traversal Vulnerability in APK File Upload Handler

A critical path traversal vulnerability has been identified in yzcheng90 X-SpringBoot versions prior to 5.0. The issue resides in the APK file upload API at '/sys/oss/upload/apk', specifically within the 'uploadApk' function of the 'APK File Handler' component. The vulnerability arises because the function creates a temporary file using a filename derived from external input, without proper validation of the file path. This flaw allows an attacker to craft a file path that traverses directories, potentially deleting any '.apk' file on the system. Notably, this API endpoint does not require any authentication or permission verification, enabling remote exploitation.

Impact

Exploitation of this vulnerability allows for arbitrary deletion of '.apk' files on the system, bypassing any security restrictions that should be in place.

Reproduction

To reproduce this vulnerability, upload a file through the '/sys/oss/upload/apk' API endpoint, using a crafted filename that includes directory traversal sequences. The uploaded file will be processed by the 'uploadApk' function, which lacks proper path validation. After the upload, the targeted '.apk' file specified in the traversal path will be deleted, demonstrating the path traversal vulnerability.