The latest version of JPress deployed on Windows has an arbitrary file upload vulnerability #188
Description
Vulnerability Reproduction
Similar to the [jpress前台存在任意文件上传漏洞 · Issue #173 · JPressProjects/jpress (github.com)](#173)
Deploy JPress on Windows
After installing the JPress framework, register a user.
http://localhost/user/register
After registration, go to the avatar settings (http://localhost/ucenter/avatar), select an image, and capture the packet to submit.
If you upload an HTML file normally, it shows that uploading is not supported.
Uploading a JSP file will have its suffix changed.
When we add ::$DATA to the end of the file name and send the packet.
The normal file should be saved at /attachment/20240803/b91be30530c843f8aed2c08bb2222ddc.jsp::$DATA, but the final file is saved at /attachment/1.jsp.
The same applies to HTML files, so it is not elaborated.
Vulnerability Analysis
Located in the io.jpress.web.commons.controller.AttachmentController#upload method, line 55 calls the ControllerBase#getFile method.
Then getFile calls the getFirstFileOnly method.
The getFirstFileOnly method calls this.getFiles() to save the file at /attachment/1.jsp::$DATA, but due to the characteristics of Windows, the ::\$DATA suffix is ignored, causing the file to be saved at /attachment/1.jsp.
Finally, at line 90 of the io.jpress.web.commons.controller.AttachmentController#upload method, an error is triggered, preventing the file from being moved further, so the file is saved at /attachment/1.jsp.
