Wildfire IM Remote Code Execution Vulnerability via Arbitrary File Upload and Directory Traversal

A critical remote code execution vulnerability has been identified in Wildfire IM versions prior to 1.4.3. The issue resides in the im-server component, specifically within the file upload functionality of UploadFileAction. The application exposes an endpoint (/fs) for multipart file uploads but fails to properly sanitize user-provided filenames. The vulnerability allows attackers to perform directory traversal, writing arbitrary files to any location on the server's filesystem where the application has write permissions. Exploitation of this vulnerability could lead to overwriting crucial configuration files or executing malicious scripts, thereby compromising the entire server.

Impact

Successful exploitation allows for remote code execution on the server.

Reproduction

The vulnerability can be reproduced by uploading a file through the /fs endpoint while including directory traversal sequences in the filename. This can be done by forging a token using the hardcoded DES key 'abcdefgh' and sending a multipart file upload request that exploits the directory traversal vulnerability to write a file to a desired location on the server.

Remediation

Users are advised to update to Wildfire IM version 1.4.3 or later, where this vulnerability has been fixed.