Bolo-Blog Bolo-Solo Path Traversal Vulnerability Leading to Arbitrary File Write and Remote Code Execution

A path traversal vulnerability has been identified in Bolo-Blog Bolo-Solo versions through 2.6.4. The issue resides in the 'importFromMarkdown' function within 'BackupService.java', part of the Filename Handler component. This vulnerability allows for arbitrary file write on the server by manipulating the 'File' argument, exploiting the lack of proper validation on filenames. The vulnerability can be exploited remotely, and an exploit is publicly available.

Impact

Exploitation of this vulnerability allows for arbitrary file write on the server. This is particularly dangerous because it can lead to remote code execution. The vulnerability allows overwriting of FreeMarker template files, which can then be used to execute arbitrary operating system commands when the templates are rendered.

Reproduction

To reproduce this vulnerability, upload a Markdown file through the 'import/markdown' feature, ensuring that the filename includes directory traversal sequences, such as '../'. The uploaded file will be written to a location outside the intended directory, taking advantage of the path traversal flaw. Once the file is uploaded, switch to the 'bolo-sakura' skin and access the corresponding page to trigger the execution of the uploaded FreeMarker template, which will execute the embedded commands on the server.