Weaver E-Office Unauthenticated Arbitrary File Upload Vulnerability Allowing Remote Code Execution

A vulnerability exists in Weaver E-Office versions prior to 10.0_20221201, allowing unauthenticated arbitrary file uploads through the OfficeServer.php endpoint. Remote attackers can exploit this vulnerability by sending multipart POST requests with arbitrary filenames and disguised content types. Successfully uploaded files, such as PHP webshells, can be executed via HTTP GET requests, leading to remote code execution as the web server user.

Impact

Exploitation of this vulnerability allows for remote code execution on the server, with the executed code running as the web server user.

Reproduction

To reproduce this vulnerability, send a multipart POST request to the OfficeServer.php endpoint. Include a file in the 'FileData' field, using an arbitrary filename and a content type that disguises the file's true nature, such as 'application/octet-stream'. In the 'FormData' field, specify the username, record ID, option to save the file, and the desired filename for the uploaded file. Once the request is sent, the server will respond with a success status, indicating that the file has been uploaded. The uploaded file can then be accessed through the web server.