Zhiyuan OA Platform Arbitrary File Upload Vulnerability via Path Traversal

A vulnerability allowing arbitrary file uploads has been identified in the Zhiyuan OA platform versions 5.0, 5.1 through 5.6sp1, 6.0 through 6.1sp2, 7.0, 7.0sp1 through 7.1, 7.1sp1, and 8.0 through 8.0sp2. This vulnerability exists in the wpsAssistServlet interface, where the realFileType and fileId parameters are not properly validated during multipart file uploads. As a result, unauthenticated attackers can exploit path traversal to upload malicious JSP files to unintended directories. Once uploaded, these files can be accessed and executed through the web server, leading to remote code execution.

Impact

Exploitation of this vulnerability allows for arbitrary file uploads, with the potential for remote code execution if the uploaded files are executed on the server.

Reproduction

To reproduce this vulnerability, send a multipart file upload request to the wpsAssistServlet interface. Include a crafted JSP file in the upload, using the realFileType and fileId parameters to traverse directories and place the file in a location where it can be executed by the web server. The default upload directory is 'C://Seeyon/A6/base/temporary', but the vulnerability allows for uploads to any directory.

Remediation

Users are advised to upgrade to the latest version of Zhiyuan OA. Instructions for downloading the patch can be found on the Zhiyuan official patch tools website.