QiAnXin TianQing Management Center rptsvr Path Traversal Vulnerability Allowing Arbitrary File Upload

A path traversal vulnerability has been identified in the QiAnXin TianQing Management Center, specifically in versions through 6.7.0.4130. This vulnerability resides within the rptsvr component and allows unauthenticated attackers to upload files to arbitrary locations on the server. The issue arises because the /rptsvr/upload endpoint does not properly sanitize the filename parameter in multipart form-data requests, enabling path traversal. As a result, attackers can place executable files in web-accessible directories, potentially leading to remote code execution.

Impact

Exploitation of this vulnerability allows for arbitrary file upload, with the potential to execute uploaded files as code, leading to remote code execution on the server.

Reproduction

To reproduce this vulnerability, send a POST request to the /rptsvr/upload endpoint with a crafted filename that includes path traversal sequences. The request must be sent as multipart form-data. Once the file is uploaded, it can be accessed through the web server, and if the uploaded file is a script, it can be executed to gain remote code execution on the server.

Remediation

Users are advised to upgrade to the latest version of QiAnXin TianQing Management Center. If an upgrade is not possible, the rptsvr interface can be disabled or removed.