CVE-2023-34939
📋 TL;DR
CVE-2023-34939 is a critical remote code execution vulnerability in ONLYOFFICE Community Server's UploadProgress.ashx component that allows attackers to execute arbitrary code on affected systems. This affects organizations running ONLYOFFICE Community Server versions before 12.5.2, potentially compromising entire document management systems and sensitive data.
💻 Affected Systems
- ONLYOFFICE Community Server
📦 What is this software?
Onlyoffice by Onlyoffice
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to execute arbitrary commands, steal sensitive documents, install persistent backdoors, pivot to other internal systems, and potentially encrypt data for ransomware attacks.
Likely Case
Attackers gain initial foothold on the server, exfiltrate sensitive documents and user data, install cryptocurrency miners or other malware, and potentially use the compromised server for further attacks.
If Mitigated
Limited impact due to network segmentation, proper access controls, and monitoring that detects and blocks exploitation attempts before significant damage occurs.
🎯 Exploit Status
Public proof-of-concept demonstrates exploitation via path traversal leading to arbitrary file upload and code execution. Exploitation appears straightforward with publicly available tools.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 12.5.2 and later
Vendor Advisory: https://github.com/ONLYOFFICE/CommunityServer/blob/master/CHANGELOG.md#version-1252
Restart Required: Yes
Instructions:
1. Backup your data and configuration. 2. Download ONLYOFFICE Community Server version 12.5.2 or later from the official repository. 3. Follow the upgrade instructions for your platform. 4. Restart the service. 5. Verify the upgrade was successful.
🔧 Temporary Workarounds
Disable UploadProgress.ashx
allTemporarily disable the vulnerable component by removing or restricting access to UploadProgress.ashx
# For Linux: mv /var/www/onlyoffice/WebStudio/UploadProgress.ashx /var/www/onlyoffice/WebStudio/UploadProgress.ashx.disabled
# For Windows: rename C:\Program Files\ONLYOFFICE\WebStudio\UploadProgress.ashx UploadProgress.ashx.disabled
Web Application Firewall Rules
allImplement WAF rules to block requests to UploadProgress.ashx with suspicious parameters
# Example ModSecurity rule: SecRule REQUEST_URI "@contains UploadProgress.ashx" "id:1001,phase:1,deny,status:403"
🧯 If You Can't Patch
- Implement strict network segmentation to isolate ONLYOFFICE servers from critical systems
- Deploy application-level monitoring and intrusion detection specifically for UploadProgress.ashx access patterns
🔍 How to Verify
Check if Vulnerable:
Check if UploadProgress.ashx exists in the WebStudio directory and test with the public PoC (use only in controlled environments)Check Version:
# Linux: cat /var/www/onlyoffice/WebStudio/web.appsettings.config | grep 'version' # Windows: findstr version "C:\Program Files\ONLYOFFICE\WebStudio\web.appsettings.config"Verify Fix Applied:
Verify version is 12.5.2 or later and test that UploadProgress.ashx no longer accepts malicious file uploads📡 Detection & Monitoring
Log Indicators:
- Unusual access to UploadProgress.ashx with file upload parameters
- Multiple failed upload attempts with suspicious file extensions
- System commands executed from web server context
Network Indicators:
- HTTP POST requests to UploadProgress.ashx with unusual payloads
- Outbound connections from ONLYOFFICE server to unknown external IPs
SIEM Query:
source="onlyoffice" AND (uri="*UploadProgress.ashx*" AND (method="POST" OR params="*..\\*" OR params="*cmd*"))🔗 References
- https://github.com/ONLYOFFICE/CommunityServer/blob/master/CHANGELOG.md#version-1252
- https://github.com/firsov/onlyoffice
- https://github.com/firsov/onlyoffice/blob/main/CVE-2023-34939-PoC.md
- https://github.com/ONLYOFFICE/CommunityServer/blob/master/CHANGELOG.md#version-1252
- https://github.com/firsov/onlyoffice
- https://github.com/firsov/onlyoffice/blob/main/CVE-2023-34939-PoC.md
