CVE-2023-34747
📋 TL;DR
This CVE describes a critical file upload vulnerability in ujcms 6.0.2 that allows attackers to upload arbitrary files, including malicious scripts, via the /api/backend/core/web-file-upload/upload endpoint. This affects all ujcms 6.0.2 installations with the vulnerable endpoint accessible. Attackers can achieve remote code execution by uploading webshells or other malicious files.
💻 Affected Systems
- ujcms
📦 What is this software?
Ujcms by Ujcms
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with remote code execution, data exfiltration, and persistent backdoor installation.
Likely Case
Webshell upload leading to website defacement, data theft, and lateral movement within the hosting environment.
If Mitigated
File upload blocked or properly validated, preventing malicious file execution.
🎯 Exploit Status
Exploitation requires authentication to the backend, but once authenticated, file upload is straightforward.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.0.3 or later
Vendor Advisory: https://github.com/ujcms/ujcms/issues/4
Restart Required: Yes
Instructions:
1. Backup your ujcms installation and database. 2. Download and install ujcms version 6.0.3 or later from the official repository. 3. Replace all files with the updated version. 4. Restart the web server and application services.
🔧 Temporary Workarounds
Disable vulnerable endpoint
allBlock access to the /api/backend/core/web-file-upload/upload endpoint via web server configuration or firewall rules.
# For Apache: RewriteRule ^/api/backend/core/web-file-upload/upload - [F]
# For Nginx: location ~ ^/api/backend/core/web-file-upload/upload { deny all; }
Implement file validation
allAdd server-side file type validation and restrict uploads to specific extensions.
# Modify upload handler to validate file extensions and MIME types
# Example: Only allow .jpg, .png, .pdf extensions
🧯 If You Can't Patch
- Implement strict file upload validation including file type checking, size limits, and content inspection.
- Deploy a web application firewall (WAF) with rules to detect and block malicious file upload attempts.
🔍 How to Verify
Check if Vulnerable:
Check if your ujcms version is 6.0.2 and if the /api/backend/core/web-file-upload/upload endpoint accepts file uploads without proper validation.Check Version:
Check the version in the ujcms admin panel or examine the application files for version information.Verify Fix Applied:
After patching, attempt to upload a malicious file (e.g., .php, .jsp) to verify it's rejected. Check that version is 6.0.3 or later.📡 Detection & Monitoring
Log Indicators:
- Multiple failed file upload attempts
- Uploads of unusual file types (.php, .jsp, .exe)
- Requests to /api/backend/core/web-file-upload/upload with suspicious parameters
Network Indicators:
- POST requests to the vulnerable endpoint with file uploads
- Unusual outbound connections from the web server after file uploads
SIEM Query:
source="web_server" AND (uri="/api/backend/core/web-file-upload/upload" OR file_extension IN ("php", "jsp", "exe"))