Xujeff Tianti 天梯 Unrestricted File Upload Vulnerability in UploadController

A vulnerability allowing unrestricted file uploads has been identified in Xujeff Tianti 天梯 versions through 2.3. The issue arises in the 'ajaxUploadFile' function of the 'UploadController.java' file, where the 'upfile' argument can be manipulated to bypass security measures. This vulnerability can be exploited remotely, and the uploaded files can contain malicious payloads, such as Cross-Site Scripting (XSS) attacks.

Impact

Exploitation of this vulnerability allows for unrestricted file uploads, which can be used to upload malicious files that could be executed or processed by the application, potentially leading to further attacks such as Cross-Site Scripting (XSS).

Reproduction

To reproduce this vulnerability, send a POST request to the '/tianti-module-admin/upload/ajax/upload_file' endpoint with a file named 'pocpdf.pdf'. The file should be crafted to include a PDF payload that exploits the upload functionality, bypassing any file type restrictions. This can be done using a tool like Burp Suite or Postman, by setting the 'Content-Type' to 'image/jpeg' and including the PDF exploit in the request body.