CVE-2023-40980
📋 TL;DR
This vulnerability allows remote attackers to upload malicious files to DWSurvey-OSS survey software, leading to arbitrary code execution on the server. Attackers can exploit this without authentication by abusing file upload functions in the UploadAction.java component. All deployments running DWSurvey-OSS version 3.2.0 or earlier are affected.
💻 Affected Systems
- DWSurvey-OSS
📦 What is this software?
Dwsurvey by Diaowen
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise allowing attackers to execute arbitrary commands, steal data, deploy ransomware, or pivot to internal networks.
Likely Case
Webshell deployment leading to data exfiltration, credential theft, and persistence on the compromised server.
If Mitigated
File uploads blocked or properly validated, limiting impact to denial of service if upload attempts cause resource exhaustion.
🎯 Exploit Status
The vulnerability is in publicly accessible endpoints with no authentication required. Exploitation requires crafting malicious file upload requests.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version after v3.2.0
Vendor Advisory: https://github.com/wkeyuan/DWSurvey/issues/107
Restart Required: Yes
Instructions:
1. Upgrade DWSurvey-OSS to version after v3.2.0. 2. Restart the application server. 3. Verify the fix by checking that the vulnerable endpoints no longer accept arbitrary file uploads.
🔧 Temporary Workarounds
Web Application Firewall Rules
allBlock requests to vulnerable endpoints /action/UploadAction.java with saveimage and savveFile methods
WAF specific - configure rules to block POST requests containing 'saveimage' or 'savveFile' in URL or parameters
File Upload Restriction
allConfigure server to reject file uploads with dangerous extensions
Modify web server configuration to block uploads of .jsp, .war, .jar, .exe, .php files
🧯 If You Can't Patch
- Implement strict file upload validation: only allow specific file types, validate file signatures, and store uploaded files outside web root.
- Network segmentation: Isolate DWSurvey servers from critical systems and implement strict outbound firewall rules.
🔍 How to Verify
Check if Vulnerable:
Check if DWSurvey version is 3.2.0 or earlier by examining application version in admin panel or configuration files.Check Version:
Check application.properties or version.txt files in DWSurvey installation directory for version information.Verify Fix Applied:
Attempt to upload a file with malicious extension to /action/UploadAction endpoints - should be rejected after patch.📡 Detection & Monitoring
Log Indicators:
- Multiple failed file upload attempts
- Uploads of files with unusual extensions (.jsp, .war, .exe)
- Requests to /action/UploadAction with saveimage/savveFile parameters
Network Indicators:
- Unusual outbound connections from DWSurvey server
- Large file uploads to unexpected endpoints
SIEM Query:
source="DWSurvey" AND (url="*UploadAction*" AND (param="*saveimage*" OR param="*savveFile*"))