Headline
CVE-2023-1501: cve/Rockoa.md · xieqiang/cve - Gitee.com
A vulnerability, which was classified as critical, was found in RockOA 2.3.2. This affects the function runAction of the file acloudCosAction.php.SQL. The manipulation of the argument fileid leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-223401 was assigned to this vulnerability.
Rockoa v2.3.2 has a file upload vulnerability
Vulnerability file:qcloudCosAction.php
- Log in to the background to find any file upload point In fact, the upload point is the same, the call is the same interface.
2.The uploaded file suffix of.php is replaced with the suffix of.uptemp and stored in the database.
3.While searching for the function point, I found a way to decrypt the base64 file, and fetched the corresponding data from the database according to the id. Replace the suffix of the original file with the suffix of the uploaded file, that is, the uploaded.php.
- Access the function point through the route
5.Replace the previous upload id value Found that the file has been replaced with a suffix