Hongfan OA Arbitrary File Read Scanner

Hongfan OA is an office automation software widely used by enterprises and organizations to streamline communication, data management, and document processing workflows. It is implemented by IT administrators and office staff to enhance productivity and ensure effective management of office tasks. Designed with various tools and features, it supports users in managing daily business operations seamlessly. The software is often integrated into existing systems to provide efficient scheduling, document sharing, and collaborative features. Its adaptability and third-party integration capabilities make it a favored solution among mid-sized to large enterprises. Additionally, Hongfan OA helps reduce operational costs and facilitate remote work by offering a unified platform for office automation.

The Arbitrary File Read vulnerability allows attackers to read sensitive files from a server without proper authorization. This vulnerability can expose critical configuration files and sensitive data stored on the server. Exploiting this vulnerability could potentially lead to unauthorized access and information leakage. By leveraging such a vulnerability, attackers can circumvent protections to retrieve files that should typically remain confidential. The arbitrary nature of this vulnerability lies in its ability to target any file accessible to the application with insufficient security checks in place. Such vulnerabilities are serious since they can compromise the overall security of the affected application.

The vulnerability in question targets the 'ioFileExport.aspx' endpoint of the Hongfan OA application. It permits reading the 'web.config' file, which may contain sensitive server and application configuration information. The GET request is crafted to fetch the configuration using the endpoint paired with specific query parameters, including 'url' and 'filename'. Successful exploitation is confirmed by checking the response for the 'configSection' and 'iOfficeUpload' keywords. Additionally, the response header containing 'application/octet-stream' indicates the type of file content returned. This endpoint, when improperly secured, can be manipulated to trick the application into disclosing information that can aid further attacks.

Exploitation of this vulnerability can lead to unauthorized data exposure, putting sensitive system and user information at risk. Attackers may use the exposed configuration data to facilitate further attacks or gain remote access. There is also the threat of data theft, where confidential or proprietary information could be extracted and misused. Organizations may face reputational damage and financial losses if such vulnerabilities are exploited in a real-world attack. Moreover, sensitive information leakage could lead to compliance violations if confidentiality is breached.

REFERENCES

• https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/main/docs/wiki/oa/%E7%BA%A2%E5%B8%86OA/%E7%BA%A2%E5%B8%86OA%20ioFileExport.aspx%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.md
• https://github.com/qingchenhh/qc_poc/blob/main/Goby/ioffice_file_read.go