Shopizer Path Traversal Vulnerability in Image Upload Endpoint Allowing Arbitrary File Write and Remote Code Execution

A path traversal vulnerability has been identified in Shopizer version 3.2.5, specifically within the '/content/images/add' endpoint. This vulnerability allows authenticated attackers to write arbitrary files to any writable path by exploiting directory traversal sequences in the 'qqfilename' parameter of a crafted POST request. When the application is configured to use the 'httpd' local filesystem storage backend, this flaw can be leveraged to upload a JSP web shell to the server, resulting in full remote code execution.

Impact

Exploitation of this vulnerability allows for arbitrary file writes, which can be used to upload malicious files such as web shells. If the uploaded file is executed by the server, this could lead to remote code execution.

Reproduction

To reproduce this vulnerability, first configure Shopizer to use the 'httpd' file storage backend. Next, obtain a valid JWT token for an admin or merchant account. Then, send a POST request to the '/api/v1/private/content/images/add' endpoint, including a payload in the 'qqfilename' parameter that exploits the path traversal vulnerability by injecting directory traversal sequences. After uploading a JSP web shell, access the uploaded file through the web server to execute the injected code.

Remediation

To address this vulnerability, sanitize filenames by using 'FilenameUtils.getName()' to remove directory components before any file operations. Additionally, validate resolved paths by normalizing them and ensuring they do not escape the designated upload directory.