YiFang CMS Unrestricted File Upload Vulnerability in P_file.php Component

A vulnerability allowing unrestricted file upload has been identified in YiFang CMS versions through 2.0.5. The issue resides in the 'mergeMultipartUpload' function of 'app/utils/base/plugin/P_file.php', where the uploaded file name can be manipulated via the 'md5value' and 'name' parameters. This flaw enables remote exploitation, as the uploaded files are not properly validated before being saved, potentially leading to the execution of malicious scripts.

Impact

Exploitation of this vulnerability allows for unrestricted file uploads, which can be used to upload malicious files that may be executed on the server, such as web shells or other types of executable scripts.

Reproduction

To reproduce this vulnerability, send a POST request to '/api/file/webUploader' with 'multipart/form-data' content. Include the 'name' parameter to specify the file name, the 'md5value' parameter to control the upload process, and the 'file' parameter to upload the actual file content. The 'mergeMultipartUpload' function will process the upload, but the application will fail to properly validate the file before saving it, allowing for the execution of uploaded scripts.