CVE-2023-46988
📋 TL;DR
A path traversal vulnerability in ONLYOFFICE Document Server allows remote attackers to copy arbitrary files by manipulating the fileExt parameter in the /example/editor endpoint. This can lead to unauthorized access to sensitive files and potential Denial of Service. Affects ONLYOFFICE Document Server installations before version 8.0.1.
💻 Affected Systems
- ONLYOFFICE Document Server
📦 What is this software?
Document Server by Onlyoffice
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through reading sensitive files like configuration files, SSH keys, or database credentials, potentially leading to lateral movement and full server takeover.
Likely Case
Unauthorized access to sensitive files containing configuration data, user information, or internal documents, potentially enabling further attacks.
If Mitigated
Limited impact if proper network segmentation and file permissions are in place, though sensitive data exposure remains possible.
🎯 Exploit Status
The vulnerability requires no authentication and has a publicly available proof-of-concept, making exploitation straightforward.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v8.0.1
Vendor Advisory: https://github.com/ONLYOFFICE/DocumentServer/releases/tag/v8.0.1
Restart Required: Yes
Instructions:
1. Backup your data and configuration. 2. Stop the ONLYOFFICE Document Server service. 3. Update to version 8.0.1 or later using your package manager or manual installation. 4. Restart the service. 5. Verify the update was successful.
🔧 Temporary Workarounds
Disable /example endpoint
allRemove or restrict access to the vulnerable /example/editor endpoint
# Configure web server (nginx example) to block /example
location /example { deny all; }
# Or remove the endpoint files if possible
Network access control
linuxRestrict access to ONLYOFFICE Document Server to trusted networks only
# Firewall rule example (iptables)
iptables -A INPUT -p tcp --dport 80 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP
🧯 If You Can't Patch
- Implement strict network segmentation to isolate the vulnerable server from sensitive systems
- Apply strict file system permissions to limit what files the Document Server process can access
🔍 How to Verify
Check if Vulnerable:
Check if the /example/editor endpoint exists and responds, and verify the server version is below 8.0.1Check Version:
docker exec onlyoffice-documentserver cat /etc/onlyoffice/documentserver/version.txt 2>/dev/null || grep -i version /var/log/onlyoffice/documentserver/*.log 2>/dev/nullVerify Fix Applied:
Confirm the server version is 8.0.1 or higher and test that the /example/editor endpoint no longer allows path traversal📡 Detection & Monitoring
Log Indicators:
- Unusual requests to /example/editor with suspicious fileExt parameters
- Multiple failed attempts with ../ patterns in URLs
- Access to files outside expected document directories
Network Indicators:
- HTTP requests containing path traversal sequences (../) in the fileExt parameter
- Unusual file access patterns from the Document Server
SIEM Query:
source="onlyoffice" AND (url="/example/editor" AND (fileExt="*../*" OR fileExt="*..\\*"))