CHT Security Red Team Discovered Vulnerability in Well-Known Document System.

Summary

Due to the lack of restrictions on file types and extensions in a specific upload function, an attacker, without logging in, can upload arbitrary files through specific packets to achieve remote code execution.

Vulnerability List

An attacker, without logging in, can upload arbitrary files through specific packets to achieve remote code execution. This vulnerability can be classified under CWE-434: Unrestricted Upload of File with Dangerous Type. 

Details

1. Unrestricted File Upload

Description

The upload function in specific path didn't sanitize user uploaded file path properly.

Impact

An unauthenticated user could upload webshell to achieve remote code execution with this vulnerability. 

Known Affected Software

• Version before v5.0 (including)

Credits

• TsungShu Chiu (CHT Security)
• Yu Ze Huang (CHT Security)