Harvard University Dataverse Remote Code Execution Vulnerability via Unrestricted File Upload

A remote code execution vulnerability has been identified in Harvard University IQSS Dataverse versions prior to 6.8. The issue arises in the theme customization component, specifically within the file '/ThemeAndWidgets.xhtml'. The vulnerability allows for unrestricted file uploads by bypassing client-side restrictions on file extensions. While the interface initially limits uploads to '.jpg' and '.png' files, this can be easily circumvented by manipulating the upload request to include a different file type. Exploitation of this vulnerability is possible from a remote location, and a public exploit is available.

Impact

Exploitation of this vulnerability allows for remote code execution on the server, with the executed code running under the web server user. This could lead to a full compromise of the host server, unauthorized access to the application database and sensitive files, lateral movement within the internal network, and persistent access through the deployment of web shells.

Reproduction

To reproduce this vulnerability, a user with permission to edit a Dataverse can access the theme customization settings. Once there, the logo upload feature can be used. The front-end validation can be bypassed by intercepting the upload request with a proxy tool, such as Burp Suite. After bypassing the validation, the file can be uploaded as 'webshell.jsp', for example, and will be executed on the server.

Remediation

Users are advised to upgrade to Dataverse version 6.10 or later, where this vulnerability has been addressed.