Fanwei E-Office Unauthenticated File Upload Vulnerability Allowing Remote Code Execution

A file upload vulnerability allowing for remote code execution has been identified in the Fanwei E-Office web management interface, specifically in versions through 9.4. The issue arises in the UploadFile.php endpoint, which fails to properly validate uploaded files when certain parameters are used. An attacker can exploit this vulnerability by sending a crafted HTTP POST request to upload arbitrary files without authentication. Successful exploitation could lead to a complete compromise of the web application and potentially the underlying system.

Impact

Exploitation of this vulnerability allows for arbitrary file uploads, which can be leveraged to execute malicious code on the server. This could result in full control over the web application and access to the underlying operating system.

Reproduction

The vulnerability can be reproduced by sending a POST request to the /general/index/UploadFile.php endpoint with the uploadType parameter set to either 'eoffice_logo' or 'theme'. The request must include a file payload that contains a PHP script. If the upload is successful, the uploaded file can be accessed through the /images/logo/ or /images/themes/ directories, depending on the uploadType used.

Remediation

Users are advised to update to the latest version of Fanwei E-Office, as the vendor has released a patch for this vulnerability.