zhousg letao Unrestricted File Upload Vulnerability in Product.js

A critical vulnerability allowing unrestricted file uploads has been identified in zhousg letao versions up to 7d8df0386a65228476290949e0413de48f7fbe98. The issue arises in the file routes\bf\product.js, where the pictrdtz argument can be manipulated to upload malicious files with arbitrary extensions. This vulnerability can be exploited remotely and has been publicly disclosed, with an available proof-of-concept exploit.

Impact

Exploitation of this vulnerability allows for arbitrary file uploads, which could lead to remote code execution if server-side scripts are uploaded and executed. Additionally, files with certain extensions could be used to create stored cross-site scripting (XSS) attacks.

Reproduction

The vulnerability can be reproduced by uploading files through the '/addProductPic' endpoint using the 'pic1', 'pic2', or 'pic3' parameters. Files uploaded with these parameters will be saved on the server, and the response will include the file name and URL. If arbitrary parameter names are used, the files will still be uploaded but without any confirmation or URL information in the response.