EyouCMS Unrestricted File Upload Vulnerability in Admin Logo Edit Function

A vulnerability allowing unrestricted file upload has been identified in EyouCMS versions through 1.7.1. The issue resides in the admin controller's 'edit_adminlogo' function, where the 'filename' parameter is not properly validated. This flaw enables authenticated administrators to copy arbitrary files from the server to a publicly accessible directory, potentially leading to the disclosure of sensitive information such as database credentials and configuration files.

Impact

Exploitation of this vulnerability allows for the unauthorized copying of sensitive files to a public directory, where they can be accessed via HTTP. This could include database credentials, application configuration, security settings, and environment variables, all of which could be used to further compromise the application or its data.

Reproduction

To reproduce this vulnerability, an authenticated administrator must send a POST request to the 'edit_adminlogo' endpoint with a crafted 'filename' parameter that points to a sensitive file on the server, such as 'application/database.php'. Once the file is copied to the public directory, it can be accessed through the web server.

Remediation

It is recommended to restrict access to the 'edit_adminlogo' endpoint and block public access to the copied files via web server configuration.