CVE-2021-42967
📋 TL;DR
This vulnerability allows attackers to upload malicious JSP files without restrictions in novel-plus's file controller. It affects all versions of novel-plus, enabling remote code execution on affected servers.
💻 Affected Systems
- novel-plus
📦 What is this software?
Novel Plus by Xxyopen
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise leading to data theft, ransomware deployment, or use as attack platform
Likely Case
Webshell installation allowing persistent backdoor access and further exploitation
If Mitigated
File uploads blocked or properly validated, preventing malicious file execution
🎯 Exploit Status
Simple HTTP POST request with malicious JSP file payload
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: None
Vendor Advisory: https://github.com/201206030/novel-plus/issues/62
Restart Required: Yes
Instructions:
1. Review GitHub issue #62 for community fixes
2. Implement file upload validation
3. Restart application after changes
🔧 Temporary Workarounds
Web Application Firewall Rule
allBlock JSP file uploads at the WAF level
WAF-specific configuration to block .jsp file uploads
File Extension Restriction
allConfigure server to reject JSP file uploads
Modify FileController.java to validate file extensions
🧯 If You Can't Patch
- Disable file upload functionality completely
- Implement strict file type validation and store uploaded files outside webroot
🔍 How to Verify
Check if Vulnerable:
Attempt to upload a JSP file via /novel-admin file upload endpointCheck Version:
Check novel-plus version in application properties or build filesVerify Fix Applied:
Test that JSP file uploads are rejected or properly validated📡 Detection & Monitoring
Log Indicators:
- JSP file uploads in access logs
- Unusual file upload patterns
Network Indicators:
- HTTP POST requests with .jsp files to upload endpoints
SIEM Query:
source="web_logs" AND (uri_path="/file/upload" OR uri_path="/novel-admin") AND file_extension=".jsp"