Jiusi OA OfficeServer Interface Unrestricted File Upload Vulnerability

A vulnerability allowing arbitrary file uploads has been identified in Jiusi OA versions prior to 20251102. This issue resides within the OfficeServer Interface, specifically in the file '/OfficeServer?isAjaxDownloadTemplate=false'. The vulnerability is triggered by manipulating the 'FileData' argument, which leads to unrestricted file uploads. This flaw can be exploited remotely, and a public exploit is available.

Impact

Exploitation of this vulnerability allows for unrestricted file uploads, which could be used to upload malicious files that are processed within the application's environment. This could lead to various consequences, such as executing uploaded files if they are of a type that the server processes as executable, or causing a denial-of-service by overwriting critical files.

Reproduction

To reproduce this vulnerability, send a POST request to '/jsoa/OfficeServer?isAjaxDownloadTemplate=false' with 'FileData' set to a file such as a JPEG image. Include a payload in the file that, when executed, could delete a file on the server. Also, add a 'test' field with a JSON object specifying the 'OPTION' as 'SAVEFILE', 'isDoc' as 'false', 'moduleType' as 'govdocument', 'RECORDID' as a path to a user check file, and 'FILETYPE' as '.jsp'. After uploading, the file can be accessed through the 'CheckUser.jsp' endpoint.