CVE-2020-13894
📋 TL;DR
CVE-2020-13894 is an arbitrary file download vulnerability in DEXT5 Editor's upload_handler.jsp component. Attackers can exploit the savefilepath parameter to download any file from the server, potentially exposing sensitive data. This affects all systems running DEXT5 Editor version 3.5.1402961 and earlier.
💻 Affected Systems
- DEXT5 Editor
📦 What is this software?
Dext5 by Dext5
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise through downloading configuration files containing credentials, followed by lateral movement and data exfiltration.
Likely Case
Sensitive file disclosure including configuration files, source code, or user data stored on the server.
If Mitigated
Limited impact if proper file permissions restrict access to sensitive directories and files.
🎯 Exploit Status
Simple HTTP request manipulation required. Public proof-of-concept demonstrates exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version after 3.5.1402961
Vendor Advisory: Not publicly documented by vendor
Restart Required: Yes
Instructions:
1. Upgrade DEXT5 Editor to version newer than 3.5.1402961. 2. Restart the application server. 3. Verify the upload_handler.jsp component has been updated.
🔧 Temporary Workarounds
Restrict upload_handler.jsp access
allBlock or restrict access to the vulnerable JSP file using web server configuration or firewall rules.
# Apache: <Location "/dext5/upload_handler.jsp"> Require all denied </Location>
# Nginx: location ~ /dext5/upload_handler\.jsp { deny all; }
Input validation filter
allImplement input validation to restrict savefilepath parameter to allowed directories only.
# Web application filter to validate savefilepath parameter against whitelist
🧯 If You Can't Patch
- Implement strict file system permissions to limit accessible directories
- Deploy web application firewall (WAF) with rules blocking directory traversal patterns
🔍 How to Verify
Check if Vulnerable:
Test by sending HTTP request to /dext5/upload_handler.jsp with savefilepath parameter pointing to known system files like /etc/passwd (Linux) or C:\Windows\win.ini (Windows).Check Version:
Check DEXT5 Editor version in web interface or configuration files. Look for version number in deployed JSP/WAR files.Verify Fix Applied:
Attempt the same exploitation test after patching - should return error or empty response instead of file contents.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to upload_handler.jsp with savefilepath parameter containing directory traversal sequences (../, ..\)
- Unusual file access patterns from web server process
Network Indicators:
- HTTP GET/POST requests to upload_handler.jsp with long or suspicious savefilepath parameters
SIEM Query:
web.url="*upload_handler.jsp*" AND (web.param="*../*" OR web.param="*..\\*")