Vulnerability: Arbitrary file upload in lsFusion ≤ 6.1

**BUG_Author:** R1ckyZ

**Affected Version:** lsFusion ≤ 6.1

**Vendor:** [lsfusion GitHub Repository](https://github.com/lsfusion/platform)

**Software:** [lsfusion](https://github.com/lsfusion/platform)

**Vulnerability** **Files:**

- `platform/web-client/src/main/java/lsfusion/http/controller/file/UploadFileRequestHandler.java`

## Description:

Accessing the `/uploadFile` API invokes the `handleRequest` method in `UploadFileRequestHandler`. This method accepts an unvalidated `sid` parameter, which is directly appended to `FileUtils.APP_UPLOAD_FOLDER_PATH`. Additionally, there are no restrictions on the uploaded filename. When combined with directory traversal, this allows an attacker to upload JSP files to a web-accessible directory, leading to client-side file upload–based remote code execution (RCE). 

<img width="1486" height="599" alt="Image" src="https://github.com/user-attachments/assets/20b8773a-5c08-4f9d-aa92-e9a1463b9b30" />

## Proof of Concept:

1. Access the API `/uploadFile`, upload shell.jsp, and pass the **sid** to the directory you have traversed.

<img width="1292" height="665" alt="Image" src="https://github.com/user-attachments/assets/d1faa7ac-ec05-41f4-b0ac-b50fc8bca6f3" />

2. Access and exploit the generated file `_shell.jsp`.

<img width="1282" height="427" alt="Image" src="https://github.com/user-attachments/assets/91761762-0b44-4310-b5d5-4f0c4c48bc4b" />

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Vulnerability: Arbitrary file upload in lsFusion ≤ 6.1 #1544

Description:

Proof of Concept:

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Vulnerability: Arbitrary file upload in lsFusion ≤ 6.1 #1544

Description

Description:

Proof of Concept:

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions