Gin-Vue-Admin Path Traversal Vulnerability in Breakpoint Resume Upload Functionality

A path traversal vulnerability has been identified in Gin-Vue-Admin versions through 2.8.7. The issue resides in the breakpoint resume upload feature, where the application allows arbitrary file uploads to any directory. This vulnerability arises because the MakeFile function in the breakpoint_continue.go file concatenates user-supplied file names with a base directory path without proper validation, enabling attackers to exploit directory traversal sequences. An attacker with file upload privileges could manipulate the fileName parameter to upload files to unintended locations, potentially overwriting critical application files or executing malicious code.

Impact

Exploitation of this vulnerability could lead to arbitrary file uploads, overwriting of application configuration files, and potentially allow for remote code execution.

Reproduction

To reproduce this vulnerability, first upload file chunks through the /fileUploadAndDownload/breakpointContinue endpoint, which is not vulnerable. Then, call the /fileUploadAndDownload/breakpointContinueFinish endpoint with a fileName parameter that includes path traversal sequences, such as ../../../tmp/malicious.txt. This will upload the file to the specified location, demonstrating the path traversal vulnerability.

Remediation

Users are advised to update to Gin-Vue-Admin version 2.8.8, where this vulnerability has been addressed.