CVE-2023-37289
📋 TL;DR
This vulnerability allows unauthenticated remote attackers to upload and execute arbitrary files on InfoDoc Document On-line Submission and Approval System servers. Attackers can run system commands, potentially gaining full control of affected systems. This affects specific versions of the Document On-line Submission and Approval System.
💻 Affected Systems
- InfoDoc Document On-line Submission and Approval System
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to execute arbitrary commands, steal data, install malware, or use the server as a pivot point into internal networks.
Likely Case
Attackers upload web shells or malware to gain persistent access, exfiltrate sensitive documents, or disrupt the document approval system.
If Mitigated
File uploads are blocked or properly validated, limiting attackers to denial of service through resource exhaustion.
🎯 Exploit Status
Unrestricted file upload vulnerabilities are commonly exploited with simple tools like curl or web browsers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: https://www.twcert.org.tw/tw/cp-132-7225-cef32-1.html
Restart Required: No
Instructions:
1. Check vendor advisory for updates. 2. If patch available, apply following vendor instructions. 3. Test functionality after patching.
🔧 Temporary Workarounds
Web Application Firewall (WAF) Rules
allBlock file uploads with dangerous extensions or suspicious patterns
Disable File Upload Function
allTemporarily disable the vulnerable upload feature until patched
🧯 If You Can't Patch
- Implement strict file type validation on the server side (whitelist allowed extensions)
- Store uploaded files outside web root with random names and proper permissions
🔍 How to Verify
Check if Vulnerable:
Attempt to upload a file with executable extension (.php, .exe, .jsp, etc.) without authenticationCheck Version:
Check application version in admin interface or configuration filesVerify Fix Applied:
Test that file uploads now properly validate file types and reject dangerous extensions📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads, especially with executable extensions
- Multiple failed upload attempts
- Files written to unexpected directories
Network Indicators:
- HTTP POST requests to upload endpoints from unauthenticated sources
- Traffic patterns suggesting file upload exploitation
SIEM Query:
source="web_server" AND (method="POST" AND uri CONTAINS "upload") AND (user_agent="curl" OR user_agent="wget" OR status_code=200)