The latest version of JPress deployed on Windows has an arbitrary file upload vulnerability

[lazy-forever]

Vulnerability Reproduction

Similar to the [jpress前台存在任意文件上传漏洞 · Issue #173 · JPressProjects/jpress (github.com)](#173)

Deploy JPress on Windows

After installing the JPress framework, register a user.

http://localhost/user/register

After registration, go to the avatar settings (http://localhost/ucenter/avatar), select an image, and capture the packet to submit.

If you upload an HTML file normally, it shows that uploading is not supported.

Uploading a JSP file will have its suffix changed.

When we add ::$DATA to the end of the file name and send the packet.

The normal file should be saved at /attachment/20240803/b91be30530c843f8aed2c08bb2222ddc.jsp::$DATA, but the final file is saved at /attachment/1.jsp.

The same applies to HTML files, so it is not elaborated.

Vulnerability Analysis

Located in the io.jpress.web.commons.controller.AttachmentController#upload method, line 55 calls the ControllerBase#getFile method.

Then getFile calls the getFirstFileOnly method.

The getFirstFileOnly method calls this.getFiles() to save the file at /attachment/1.jsp::$DATA, but due to the characteristics of Windows, the ::\$DATA suffix is ignored, causing the file to be saved at /attachment/1.jsp.

Finally, at line 90 of the io.jpress.web.commons.controller.AttachmentController#upload method, an error is triggered, preventing the file from being moved further, so the file is saved at /attachment/1.jsp.