xiaoheiFS Remote Code Execution Vulnerability via Arbitrary File Upload in Payment Plugin
Vulnerability
A remote code execution vulnerability has been identified in xiaoheiFS versions through 0.3.15. The issue arises in the AdminPaymentPluginUpload endpoint, which allows admins to upload any file to the plugins/payment directory. The endpoint only verifies a hardcoded password and does not validate the file content. A background process scans the directory every five seconds, and if a new executable is detected, it is executed immediately, leading to remote code execution. This vulnerability has been patched in version 0.4.0.
Impact
Exploitation of this vulnerability allows for remote code execution on the server where xiaoheiFS is hosted.
Reproduction
To reproduce this vulnerability, log in as an admin and navigate to the AdminPaymentPluginUpload endpoint. Upload a file while including the hardcoded password 'qweasd123456'. The uploaded file will be saved in the plugins/payment directory. After a five-second interval, the background watcher will scan for new executables and execute them, resulting in remote code execution.
Remediation
Users are advised to update to xiaoheiFS version 0.4.0 or later, where this vulnerability has been fixed.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.