JeeSite Path Traversal Vulnerability in Chunked File Upload

A path traversal vulnerability has been identified in JeeSite version 5.15.1 and earlier. This issue arises in the chunked file upload mode, specifically through the 'fileMd5' parameter of the '/a/file/upload' endpoint. When chunked upload is enabled, authenticated attackers with file upload permissions can exploit this vulnerability to write files with whitelisted extensions to arbitrary locations on the filesystem. The vulnerability bypasses content-type validation, allowing potentially harmful files to be uploaded and executed.

Impact

Exploitation of this vulnerability allows for unauthorized file uploads to arbitrary locations on the server, with the uploaded files guaranteed to persist on disk. This could lead to further exploitation, such as executing malicious code or causing a denial-of-service.

Reproduction

To reproduce this vulnerability, upload a file via the '/a/file/upload' endpoint with the 'fileMd5' parameter crafted to include path traversal sequences. Ensure that the 'file.chunked' option is set to true on the server, as this vulnerability relies on the chunked upload feature. After uploading, the file will be written to the specified path and remain on the server, bypassing any content-type checks.

Remediation

Users are advised to update to JeeSite version 5.15.2 or later, where this vulnerability has been addressed. For those using version 5.15.0, it is recommended to run 'mvn package -U' to update dependencies and repackage the project.