Xiaoyunjie OpenVPN-CMS-Flask Path Traversal Vulnerability in File Upload Component

A critical path traversal vulnerability has been identified in Xiaoyunjie OpenVPN-CMS-Flask versions through 1.2.7. The issue resides in the file upload functionality within the 'app/plugins/oss/app/controller.py' file. The vulnerability allows for unauthenticated arbitrary file uploads by manipulating the 'image' argument, which can be exploited remotely. The root cause includes missing authentication, insecure filename handling, and inadequate file validation. Exploitation is straightforward, with a public proof-of-concept available.

Impact

Exploitation of this vulnerability allows for arbitrary file uploads, which could lead to unauthorized access or modification of files on the server.

Reproduction

To reproduce this vulnerability, send a POST request to the '/plugin/oss/upload_to_local' endpoint without authentication. Include a file in the 'image' field, using a filename that traverses directories (e.g., '../../etc/1.jpg'). The server will respond with a success message, and the uploaded file will be saved in the specified upload directory.

Remediation

Users are advised to upgrade to version 1.2.8, which addresses this vulnerability. The updated version is available on the project's GitHub releases page.