CVE-2023-26578
📋 TL;DR
This vulnerability allows authenticated attackers to upload arbitrary files, including ASP/ASPX web shells, to the web root directory of IDAttend's IDWeb application. Successful exploitation leads to remote command execution on the server. Organizations running IDWeb version 3.1.013 are affected.
💻 Affected Systems
- IDAttend IDWeb
📦 What is this software?
Idweb by Idattend
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise allowing attackers to execute arbitrary commands, steal data, install malware, pivot to other systems, and maintain persistent access.
Likely Case
Attackers upload web shells to gain command execution, potentially leading to data theft, ransomware deployment, or use as a foothold for lateral movement.
If Mitigated
With proper file upload validation and web server permissions, attackers cannot upload executable files, limiting impact to denial of service or storage consumption.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once credentials are obtained. File upload vulnerabilities are commonly weaponized.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.1.014 or later
Vendor Advisory: https://www.themissinglink.com.au/security-advisories/cve-2023-26578
Restart Required: Yes
Instructions:
1. Download IDWeb version 3.1.014 or later from vendor. 2. Backup current installation and data. 3. Stop IDWeb service. 4. Install updated version. 5. Restart service. 6. Verify functionality.
🔧 Temporary Workarounds
Restrict file upload extensions
windowsConfigure IIS to block ASP/ASPX file execution in upload directories
<handlers><remove name="ASPClassic" /><remove name="PageHandlerFactory-ISAPI-2.0" /><remove name="PageHandlerFactory-ISAPI-4.0_32bit" /><remove name="PageHandlerFactory-ISAPI-4.0_64bit" /><remove name="PageHandlerFactory-Integrated" /></handlers>
Implement file upload validation
allAdd server-side validation to reject dangerous file types
🧯 If You Can't Patch
- Implement strict file upload validation on web application firewall or reverse proxy
- Restrict IIS permissions to prevent execution of uploaded files in web root
🔍 How to Verify
Check if Vulnerable:
Check IDWeb version in application interface or configuration files. If version is 3.1.013, system is vulnerable.Check Version:
Check web interface or examine application configuration files for version informationVerify Fix Applied:
After patching, attempt to upload ASP/ASPX file through authenticated interface - should be rejected. Verify version shows 3.1.014 or later.📡 Detection & Monitoring
Log Indicators:
- File upload requests with ASP/ASPX extensions
- Unauthorized file creation in web root
- IIS logs showing execution of uploaded ASP/ASPX files
Network Indicators:
- HTTP POST requests with file uploads to IDWeb endpoints
- Unusual outbound connections from web server
SIEM Query:
source="IIS" AND (extension=".asp" OR extension=".aspx") AND method="POST" AND uri CONTAINS "/idweb/upload"