CVE-2023-46428
📋 TL;DR
An arbitrary file upload vulnerability in HadSky v7.12.10 allows attackers to upload malicious files that can lead to remote code execution. This affects all HadSky installations running the vulnerable version, potentially compromising the entire web application and server.
💻 Affected Systems
- HadSky
📦 What is this software?
Hadsky by Hadsky
⚠️ Risk & Real-World Impact
Worst Case
Complete server takeover with attacker gaining shell access, data exfiltration, and lateral movement within the network.
Likely Case
Webshell deployment leading to website defacement, data theft, and further exploitation of the server.
If Mitigated
File upload blocked or malicious files detected and removed before execution.
🎯 Exploit Status
Exploitation requires authentication but is straightforward once access is obtained. The GitHub reference contains analysis details.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v7.12.11 or later
Vendor Advisory: https://github.com/fenglon/CVE/blob/main/analyse.md
Restart Required: No
Instructions:
1. Backup current installation. 2. Download latest HadSky version from official source. 3. Replace vulnerable files with patched version. 4. Verify file upload functionality is properly restricted.
🔧 Temporary Workarounds
Restrict File Upload Types
allConfigure web server or application to only allow specific safe file extensions
# In .htaccess for Apache:
<FilesMatch "\.(php|phtml|php3|php4|php5|phps|pl|py|jsp|asp|sh|cgi)$">
Order Allow,Deny
Deny from all
</FilesMatch>
# In nginx config:
location ~ \.(php|phtml|php3|php4|php5|phps|pl|py|jsp|asp|sh|cgi)$ {
deny all;
}
Implement File Upload Validation
allAdd server-side validation to check file content type and extension
# Example PHP validation snippet:
$allowed_types = ['image/jpeg', 'image/png', 'application/pdf'];
$allowed_extensions = ['jpg', 'jpeg', 'png', 'pdf'];
if (!in_array($_FILES['file']['type'], $allowed_types) || !in_array(pathinfo($_FILES['file']['name'], PATHINFO_EXTENSION), $allowed_extensions)) {
die('Invalid file type');
}
🧯 If You Can't Patch
- Disable file upload functionality completely in HadSky configuration
- Implement web application firewall (WAF) rules to block malicious file upload patterns
🔍 How to Verify
Check if Vulnerable:
Check HadSky version in admin panel or by examining source files for version markersCheck Version:
# Check version in HadSky installation:
grep -r "7.12.10" /path/to/hadsky/installation/ || echo "Check admin panel for version info"Verify Fix Applied:
Attempt to upload a file with dangerous extension (like .php) - should be rejected with proper validation📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads with executable extensions
- Multiple failed upload attempts followed by successful upload
- Webshell access patterns in access logs
Network Indicators:
- POST requests to file upload endpoints with unusual file types
- Subsequent connections to uploaded files with executable extensions
SIEM Query:
source="web_logs" (method="POST" url="*upload*" AND (file_extension="php" OR file_extension="jsp" OR file_extension="asp"))