A security vulnerability has been detected in moxi159753 Mogu Blog v2 up to 5.2. The impacted element is the function FileOperation.unzip of the file /networkDisk/unzipFile of the component ZIP File Handler. Such manipulation of the argument fileUrl leads to path traversal. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Mogu Blog v2 versions up to 5.2 are vulnerable to a critical path traversal vulnerability. Attackers can remotely exploit the FileOperation.unzip function to write arbitrary files to the server, potentially leading to remote code execution and complete system compromise. The vendor has not responded to the vulnerability disclosure, making this a high-risk situation.
Step 1: Payload Preparation: The attacker crafts a malicious ZIP archive. This archive contains files with filenames designed to exploit path traversal. For example, a file named ../../../../var/www/html/webshell.php.
Step 2: Payload Delivery: The attacker uploads the malicious ZIP archive to the vulnerable Mogu Blog instance, or provides a URL to the archive.
Step 3: Vulnerability Trigger: The attacker triggers the FileOperation.unzip function, providing the URL or path to the malicious ZIP archive as the fileUrl argument.
Step 4: Path Traversal Exploitation: The unzip function extracts the ZIP archive. Because of the lack of input validation, the path traversal sequences in the filenames are not neutralized.
Step 5: File Overwrite: The files within the ZIP archive are extracted to the specified paths, including the attacker-controlled paths outside the intended directory. This allows the attacker to overwrite existing files, such as web application files, or create new files, such as a web shell.
Step 6: Post-Exploitation: The attacker uses the overwritten or newly created files to gain further access, such as executing arbitrary code on the server or escalating privileges.
The vulnerability stems from insufficient input validation within the FileOperation.unzip function in /networkDisk/unzipFile. Specifically, the fileUrl argument, which specifies the path to the ZIP archive, is not properly sanitized. An attacker can craft a malicious ZIP file containing filenames with path traversal sequences (e.g., ../../../../etc/passwd). When the unzip function extracts the archive, these path traversal sequences allow the attacker to write files outside of the intended directory, potentially overwriting critical system files or web application files. This lack of proper input validation and output encoding allows for arbitrary file write, which can be leveraged for further exploitation, such as uploading a web shell or modifying configuration files to achieve remote code execution.