jshERP Unauthenticated Remote Code Execution Vulnerability

A remote code execution vulnerability has been identified in jshERP versions prior to the latest commit fbda24da. This vulnerability allows unauthenticated users to execute arbitrary code on the server via the jsh_erp function. The issue arises from improper access control, which can be exploited by bypassing URL validation that is intended to prevent path traversal attacks.

Impact

Exploitation of this vulnerability allows for unauthorized remote code execution on the server where jshERP is hosted.

Reproduction

The vulnerability can be reproduced by sending a GET request to the '/jshERP-boot/webjars/swagger-ui/css/..;1=1/..;1=1/..;1=1/account/findBySelect' endpoint. This request bypasses the application's authentication checks and accesses a user information endpoint that should require authorization. After successfully accessing this endpoint, an attacker can create a new user with administrative privileges by posting to the '/user/add' endpoint with the appropriate data, including the hashed password of an existing admin user. Once the new user is created, the attacker can log in as that user and exploit the remote code execution vulnerability by uploading a malicious plugin that executes arbitrary code on the server.

Remediation

Users are advised to update to the latest version of jshERP, as the vulnerability has been addressed in a subsequent commit.