CVE-2023-37656

An attacker can upload a file with a crafted filename containing directory traversal sequences like "../../". This allows the attacker to overwrite existing files on the server, including executable code. The vulnerability is triggered via the image upload functionality within the "替换图标" (Replace Icon) feature. By intercepting the upload request and modifying the filename, an attacker can achieve remote command execution [ref_id=1].

The vulnerability resides in the `IconViewSet.post` method within the `/websiteapp/views.py` file. Specifically, the `save_path` variable does not sufficiently validate the uploaded filename, permitting path traversal characters such as "../../" [ref_id=1].

The advisory does not provide a patch or specific remediation guidance. However, it implies that proper validation of the uploaded filename to prevent directory traversal and checking the binary content of the uploaded file would mitigate the vulnerability [ref_id=1].

Firstly, add a website in "分组管理". After building, visit `http://localhost:8000/admin/website`. Click navigator "网址管理", and then click "替换图标". Click "上传图标" and choose the payload. Then click "确定" to upload. Observe the HTTP request in Burp Suite, send it to the repeater, and replace the filename `..1..1views.py` to `../../views.py`. Click Send. Finally, visit the website page to trigger the API `/api/icon` to observe the downloaded `index.html` at the path `/websiteapp/`, proving RCE [ref_id=1].