Improper Access Control in liukuo362573/yishaadmin
Feb 10th 2022
https://www.github.com/liukuo362573/yishaadmin has an endpoint "/admin/File/UploadFile" that allows uploading files without authentication.
Server doesn't check user's permission when attacker access the endpoint. After that, server will directly call UploadFile function with the parameters provided by the attacker, leads to many information security risks.
Unauthenticated user can upload file to server. The server has performed file format check in UploadFile function, but attacker can continuously upload it, causing low of hard disk.