Shenzhen Ruiming Technology Streamax Crocus Unrestricted File Upload Vulnerability

An arbitrary file upload vulnerability has been identified in Shenzhen Ruiming Technology's Streamax Crocus version 1.3.40. The issue arises in the 'uploadFile' function within the 'FileDir.do?Action=Upload' interface. This vulnerability allows for unrestricted file uploads by manipulating the 'File' argument, with the potential to upload malicious scripts that could be executed on the server. The vulnerability can be exploited remotely, and an exploit is publicly available.

Impact

Exploitation of this vulnerability allows for unrestricted file uploads, which could lead to the execution of uploaded malicious files on the server, potentially compromising the server's integrity and availability.

Reproduction

To reproduce this vulnerability, send a POST request to the 'FileDir.do?Action=Upload' endpoint. Include a crafted 'Saffron.U' cookie to bypass authentication. The request must be multipart/form-data and should attach a file with a '.jspx' extension, as the application only filters out '.jsp' files. Once the file is uploaded, it can be accessed from the 'Temp' directory on the server.