Bolo-Blog Bolo-Solo FreeMarker Template Handler Arbitrary File Upload Vulnerability Allowing Remote Code Execution

An arbitrary file upload vulnerability has been identified in Bolo-Blog Bolo-Solo versions through 2.6.4. The issue resides in the FreeMarker Template Handler within the PicUploadProcessor.java file. The vulnerability allows for unrestricted file uploads by manipulating the file argument, which can be exploited remotely. This flaw has been publicly disclosed and acknowledged by the project, but no response has been received yet.

Impact

Exploitation of this vulnerability allows for arbitrary file uploads, which can lead to overwriting existing FreeMarker template files. Since the application uses FreeMarker for dynamic page rendering, injected malicious expressions can be executed on the server, resulting in remote code execution.

Reproduction

To reproduce this vulnerability, upload a file through the '/pic/upload' endpoint using a specially crafted file name that targets FreeMarker template files, such as 'index.ftl' in the 'skins/bolo-next' directory. The uploaded file can then be modified to include malicious FreeMarker code that executes on the server.