CVE-2023-34865
📋 TL;DR
A directory traversal vulnerability in ujcms 6.0.2 allows attackers to move files to arbitrary locations on the server via the rename feature. This affects all ujcms 6.0.2 installations with the vulnerable rename functionality enabled. Attackers can potentially overwrite critical system files or upload malicious content.
💻 Affected Systems
- ujcms
📦 What is this software?
Ujcms by Ujcms
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise via overwriting critical files like /etc/passwd, web shells, or system binaries leading to remote code execution and data exfiltration.
Likely Case
Website defacement, data manipulation, or denial of service by overwriting application files. Attackers may upload backdoors or modify configuration files.
If Mitigated
Limited impact if proper file permission restrictions and input validation are in place, potentially only affecting non-critical files within the web directory.
🎯 Exploit Status
Exploitation requires access to the rename feature, which typically requires authentication. The vulnerability is simple to exploit once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.0.3 or later
Vendor Advisory: https://github.com/ujcms/ujcms/issues/5
Restart Required: Yes
Instructions:
1. Backup your ujcms installation and database. 2. Download ujcms 6.0.3 or later from the official repository. 3. Replace the vulnerable files with the patched version. 4. Restart the web server service.
🔧 Temporary Workarounds
Disable file rename functionality
allTemporarily disable or restrict access to the file rename feature in ujcms administration panel.
Modify ujcms configuration to remove rename permissions from user roles
Implement input validation at web server level
linuxAdd web application firewall rules or mod_security rules to block directory traversal attempts.
Add mod_security rule: SecRule ARGS "@contains ../" "id:1001,deny,status:403"
🧯 If You Can't Patch
- Implement strict file system permissions to restrict ujcms web user to only necessary directories
- Deploy web application firewall with directory traversal protection rules
🔍 How to Verify
Check if Vulnerable:
Check if running ujcms version 6.0.2 and test if file rename functionality accepts paths with '../' sequences.Check Version:
Check ujcms admin panel or version.txt file in installation directoryVerify Fix Applied:
Verify ujcms version is 6.0.3 or later and test that directory traversal attempts in rename feature are rejected.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to rename endpoints containing '../' sequences
- Unauthorized file modification events in system logs
Network Indicators:
- POST requests to file management endpoints with suspicious path parameters
SIEM Query:
source="web_server" AND (uri="*rename*" OR uri="*file*" OR uri="*upload*") AND (request_body="*../*" OR uri="*../*")