Seeyon OA Arbitrary File Upload Scanner
Detects 'Arbitrary File Upload' vulnerability in Seeyon OA allowing for unauthorized file uploads and potential server access by malicious entities.
Short Info
Level
Critical
Single Scan
Single Scan
Can be used by
Asset Owner
Estimated Time
10 seconds
Time Interval
3 weeks 8 hours
Scan only one
Domain, IPv4, Subdomain
Toolbox
-
Seeyon OA is a web-based office automation system used by numerous organizations for managing internal communications, workflows, and document management processes. It is primarily used by corporate entities, educational institutions, and governmental organizations to streamline operations and enhance productivity. By automating routine administrative tasks, it allows users to focus on more strategic activities within the organization. Seeyon OA's integration capabilities also allow it to interact with other enterprise applications, further enhancing its functionality. Additionally, it supports collaboration among users, facilitating teamwork and information sharing. As a comprehensive solution, it caters to various needs, from task management to file sharing.
The arbitrary file upload vulnerability identified in the Seeyon OA's wpsAssistServlet interface allows attackers to upload any file type, including potentially harmful ones. Such vulnerabilities are critical as they enable malicious users to upload scripts or executables that can disrupt or take control of the server. The vulnerability occurs due to insufficient validations and controls over the file upload mechanism. Attackers can exploit this by sending crafted HTTP requests with specific payloads to upload unauthorized files. Once a malicious file is uploaded, it can be executed to steal data, carry out further attacks, or cause resource interruptions. As this vulnerability is rated critical, rapid mitigation steps are essential to protect systems from exploitation.
Technically, the vulnerability can be exploited via HTTP requests directed to the wpsAssistServlet interface. The file upload mechanism in this servlet lacks adequate restriction checks on the file type or path, allowing files to be placed in directories that are publicly accessible or with executable permissions. A typical attack involves using multipart/form-data requests to upload a malicious JSP file, which can then be accessed via a browser to execute commands on the server. The vulnerability lies in the 'flag' parameter and the pathname manipulation that allows file writing outside expected directories. Effective exploitation necessitates both writing and later executing the uploa ded file.
The consequences of a successful exploitation of this vulnerability can be severe. It may lead to unauthorized access to sensitive information stored on the server or even full control over the server, allowing for further attacks or disruptions. Executed scripts can modify or delete files, extract sensitive data, or install backdoors for persistent access. Organizations may face operational disruptions if critical systems are affected, leading to downtime or loss of productivity. Additionally, there could be reputational damage and potential legal liabilities if sensitive customer or employee data is compromised.
REFERENCES
- https://github.com/achuna33/MYExploit/blob/8ffbf7ee60cbd77ad90b0831b93846aba224ab29/src/main/java/com/achuna33/Controllers/SeeyonController.java
- http://wiki.peiqi.tech/wiki/oa/致远OA/致远OA%20wpsAssistServlet%20任意文件上传漏洞.html
- https://github.com/Threekiii/Awesome-POC/blob/master/OA%E4%BA%A7%E5%93%81%E6%BC%8F%E6%B4%9E/%E8%87%B4%E8%BF%9COA%20wpsAssistServlet%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E.md
