DzzOffice Arbitrary File Upload Vulnerability

An arbitrary file upload vulnerability has been identified in DzzOffice versions through 2.3.7. The issue resides in the UEditor backend file upload controller, which lacks proper authentication and validation, allowing unauthorized users to upload malicious files. The uploaded files can be executed as scripts, potentially leading to persistent cross-site scripting or malware distribution. Additionally, the vulnerability can be exploited to perform server-side request forgery, fetching internal resources.

Impact

Exploitation of this vulnerability allows for unauthorized file uploads, which can be executed as scripts, creating a high risk of cross-site scripting or malware distribution. The vulnerability also enables server-side request forgery, with the potential to access internal network resources.

Reproduction

To reproduce this vulnerability, send a POST request to '/dzz/system/ueditor/php/controller.php?action=uploadfile' with a file named 'poc.html' containing a malicious script, such as a JavaScript alert. The request must include the appropriate headers for multipart form data.