CVE-2022-23315
📋 TL;DR
MCMS v5.2.4 contains an arbitrary file upload vulnerability in the /ms/template/writeFileContent.do endpoint that allows attackers to upload malicious files to the server. This affects all systems running MCMS v5.2.4 with the vulnerable component accessible. Attackers can exploit this to achieve remote code execution or compromise the web server.
💻 Affected Systems
- MCMS
📦 What is this software?
Mcms by Mingsoft
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise leading to data theft, ransomware deployment, or use as a pivot point into internal networks.
Likely Case
Webshell upload leading to persistent backdoor access, data exfiltration, and further system exploitation.
If Mitigated
Limited impact with proper file upload validation, restricted permissions, and network segmentation in place.
🎯 Exploit Status
The vulnerability requires no authentication and has publicly available proof-of-concept code. Simple HTTP POST requests can exploit this vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v5.2.5 or later
Vendor Advisory: https://gitee.com/mingSoft/MCMS/issues/I4Q4PX
Restart Required: Yes
Instructions:
1. Backup your current MCMS installation and database. 2. Download MCMS v5.2.5 or later from the official repository. 3. Replace the vulnerable files with the patched version. 4. Restart the web application server. 5. Verify the fix by testing the vulnerable endpoint.
🔧 Temporary Workarounds
Block Vulnerable Endpoint
allTemporarily block access to the vulnerable /ms/template/writeFileContent.do endpoint using web server configuration.
# For Apache: RewriteRule ^/ms/template/writeFileContent\.do$ - [F,L]
# For Nginx: location ~ ^/ms/template/writeFileContent\.do$ { return 403; }
Implement File Upload Restrictions
allConfigure web application firewall or server to restrict file uploads to specific extensions and validate file content.
# Example for Apache mod_security: SecRule REQUEST_URI "@contains /ms/template/writeFileContent.do" "id:1001,phase:2,deny,status:403"
🧯 If You Can't Patch
- Implement strict network segmentation to isolate the MCMS server from critical systems
- Deploy a web application firewall with rules to detect and block file upload exploitation attempts
🔍 How to Verify
Check if Vulnerable:
Attempt to upload a test file to /ms/template/writeFileContent.do endpoint. If successful without proper validation, the system is vulnerable.Check Version:
Check the MCMS version in the admin panel or examine the application's version files in the installation directory.Verify Fix Applied:
After patching, attempt the same file upload test. The request should be rejected with proper error messages or validation failures.📡 Detection & Monitoring
Log Indicators:
- HTTP POST requests to /ms/template/writeFileContent.do with file upload parameters
- Unusual file creation in web directories
- Webshell-like file names (e.g., .jsp, .php, .aspx) in upload directories
Network Indicators:
- Unusual outbound connections from the web server
- HTTP requests with file upload patterns to the vulnerable endpoint
SIEM Query:
source="web_server" AND (url="/ms/template/writeFileContent.do" OR file_upload="true")