Openviglet Shio Unrestricted File Upload Vulnerability in Static File API

A critical arbitrary file upload vulnerability has been identified in Openviglet Shio versions through 0.3.8. The issue resides in the 'shStaticFileUpload' method of the 'ShStaticFileAPI.java' file. The vulnerability allows remote attackers to upload malicious files to arbitrary locations on the server by manipulating the filename parameter. This could potentially lead to remote code execution.

Impact

Exploitation of this vulnerability allows for unrestricted file uploads, which could include executable files such as JSP or PHP scripts. If uploaded to a web-accessible directory, these files could be executed, leading to arbitrary code execution on the server. Additionally, the vulnerability could be exploited to upload files that cause a denial-of-service by exhausting disk space.

Reproduction

To reproduce this vulnerability, upload a file through the '/api/v2/staticfile/upload' endpoint using multipart form data. The 'file' parameter should contain the malicious file, while the 'folderId' parameter must be a valid folder ID. The 'createPost' parameter can be set to false. The key to this exploit is the filename, which should include path traversal sequences, such as '../../../webapps/ROOT/shell.jsp', to manipulate the upload destination.

Remediation

It is recommended to implement strict filename validation to prevent path traversal attacks. This can be done by checking the filename for traversal sequences and ensuring it does not contain any harmful characters or patterns. Additionally, files should be uploaded to a secure location outside of the web root, and proper sanitization should be applied to file contents before processing.