Sangfor Operation and Maintenance Management System Unauthenticated File Upload Vulnerability Allowing Remote Code Execution

A critical vulnerability allowing unrestricted file upload has been identified in Sangfor Operation and Maintenance Management System (OSM) versions prior to 3.0.8. The issue resides in the '/fort/trust/version/common/common.jsp' file, where the application fails to enforce authentication or proper file type validation. This allows remote, unauthenticated attackers to upload malicious files, such as '.jsp' web shells, which are then executed on the server, leading to remote code execution with the web server's privileges.

Impact

Exploitation of this vulnerability allows for arbitrary file upload, which can be used to upload malicious files that are executed on the server, resulting in remote code execution.

Reproduction

To reproduce this vulnerability, send a crafted HTTP POST request to the '/fort/trust/version/common/common.jsp' endpoint. The request must include a file named '1.jsp' in the 'multipart/form-data' body. Once the file is uploaded, it can be accessed through the web server, typically under '/fort/trust/version/common/1.jsp'.

Remediation

It is recommended to implement authentication and access controls for the '/fort/trust/' directory or specifically for 'common.jsp'. Additionally, a whitelist approach for file uploads should be adopted, allowing only safe file types and rejecting executable extensions. Finally, configure the web server to disable script execution in the upload directory.