JeeSite Path Traversal Vulnerability in File Upload Endpoint Allowing Arbitrary File Write

A path traversal vulnerability has been identified in JeeSite version 5.15.1 and earlier. The issue arises in the fileEntityId parameter of the /a/file/upload endpoint, where authenticated attackers with file upload permissions can exploit the vulnerability to write arbitrary files with whitelisted suffixes to any location on the filesystem. This vulnerability could lead to remote code execution if, for example, a malicious JAR file is uploaded to a directory where it can be executed.

Impact

Exploitation of this vulnerability allows for path traversal, arbitrary file writing, and potentially remote code execution if a crafted file is uploaded to a vulnerable location.

Reproduction

To reproduce this vulnerability, upload a file with a whitelisted suffix, such as .xml, through the /a/file/upload endpoint. Include the fileEntityId parameter with a value that traverses the directory structure, such as ../../../../../../tmp/test. The uploaded file will be found in the specified directory, confirming the path traversal.

Remediation

Sanitize the fileEntityId parameter in the FileUploadController to prevent path traversal. This can be done by validating the parameter to ensure it does not contain illegal characters or sequences before it is processed.