OA E-Weaver Arbitrary File Read Scanner

OA E-Weaver is a widely used collaborative office automation software, designed to enhance efficiency in organizational workflows. Companies and organizations use it for managing tasks, documents, and communication within their teams. This system integrates various functions needed for everyday business operations. With its extensibility, E-Weaver supports additional functionalities, such as the SptmForPortalThumbnail feature, which users employ for generating and managing image previews. Its adoption spans multiple sectors, drawing considerable utilization due to its comprehensive feature set. Nonetheless, like many software solutions, it is not immune to vulnerabilities that might arise during its operation.

The Arbitrary File Read vulnerability allows an attacker to access sensitive files on a server without authorization. Such vulnerabilities occur when inputs from users allow access to unintended resources due to inadequate validation. In this context, OA E-Weaver's SptmForPortalThumbnail feature can be exploited by attackers to read files they should not have permissions to access. File read vulnerabilities pose significant security risks as they could expose confidential information. These vulnerabilities underline the importance of proper input validation and access control measures in software development.

Technical analysis of the SptmForPortalThumbnail.jsp indicates issues with parameter handling, allowing files to be retrieved from the server's file system. The URL endpoint /portal/SptmForPortalThumbnail.jsp takes a 'preview' parameter, which is vulnerable to manipulation, potentially enabling unauthorized file downloads. Matchers within the request confirm successful exploitation by checking for specific keywords in the body and headers, such as "weaver.general.BaseBean" and response type as "image/png". A successful request returns a status of 200, indicating the ability to access the specified file from the server directory.

If exploited, this vulnerability can lead to unauthorized access to sensitive corporate or personal data, posing privacy and compliance risks. An attacker could potentially extract configuration files, databases, or other critical information from the server. Exposure of such files may provide intelligence required for further attacks, such as gaining administrative access or executing remote code. The leakage of proprietary information could result in financial losses and damage to reputational trust. Addressing this vulnerability is crucial to safeguarding against potential exploitation and abuse.

REFERENCES

• http://124.223.89.192/archives/e-cology8-14
• https://github.com/GREENHAT7/pxplan/blob/main/xray_pocs/yaml-poc-weaver-weaver_e_cology_oa-readfile-CT-479157.yml