BMC Compuware iStrobe Web Remote Code Execution Vulnerability

A remote code execution vulnerability has been identified in BMC Compuware iStrobe Web version 20.13. This vulnerability allows unauthenticated attackers to upload malicious JSP files through a path traversal in the file upload form. Exploitation involves using the 'fileName' parameter to upload a web shell, which can then be accessed to execute arbitrary commands.

Impact

Exploitation of this vulnerability allows for pre-authentication remote code execution on the server where Compuware iStrobe Web 20.13 is hosted.

Reproduction

To reproduce this vulnerability, upload a JSP file containing a web shell payload through the file upload form, using the 'fileName' parameter to traverse directories and place the file in an accessible location. After uploading, the web shell can be accessed via the URL where it was uploaded, allowing for command execution on the server.