HUSTOJ Path Traversal Vulnerability in ZIP File Import Modules Leading to Remote Code Execution

A path traversal vulnerability allowing remote code execution has been identified in HUSTOJ, an open-source online judge system. This issue affects versions prior to 26.01.24, specifically within the problem_import_qduoj.php and problem_import_hoj.php modules. The vulnerability arises because these modules do not properly sanitize filenames in uploaded ZIP files. Attackers can exploit this by creating a ZIP file with files that include path traversal sequences, such as '../../shell.php'. When the server extracts the ZIP file, it can write files to arbitrary locations in the web root, potentially leading to remote code execution.

Impact

Exploitation of this vulnerability allows for arbitrary file writing on the server, with the potential for remote code execution.

Reproduction

To reproduce this vulnerability, create a ZIP file that includes a file named '../../shell.php', adjusting the path traversal depth as necessary. Upload this ZIP file through the admin panel. The server will extract the file to the web root, bypassing the intended upload directory. Once the file is in the web root, accessing it will trigger the remote code execution.

Remediation

Users should update to HUSTOJ version 26.01.24 or later, where this vulnerability has been fixed.