Tongda OA API Arbitrary File Upload Scanner

Tongda OA, an office management software, is utilized by enterprises to streamline their administrative and management tasks. The software is designed for businesses of all sizes to improve their workflow management, document sharing, and communication processes. Used predominantly in corporate environments, Tongda OA helps teams track progress and manage tasks effectively. It supports various administrative functions, enabling user collaboration across different departments. The software aids in the rapid adoption of efficient processes for completing administrative work. With its comprehensive modules, Tongda OA enhances operational efficiency and productivity in organizations.

Arbitrary File Upload vulnerabilities allow attackers to upload malicious files to the server without proper validation. This vulnerability occurs when the server does not validate or sanitize the contents and types of uploaded files. As a result, malicious users can exploit this vulnerability to upload web shells or malicious executables. When executed, these files can let attackers gain remote access to the server and perform unauthorized activities. It poses significant security risks, as compromised servers can be used for attacks such as data breaches, server manipulation, and other unauthorized operations. Despite being widely understood, this vulnerability persists due to poor validation mechanisms in file upload functionalities.

The arbitrary file upload vulnerability in Tongda OA occurs in the api.ali.php script within the application. By leveraging this endpoint, attackers can craft requests that allow them to upload any file type to the server. Specifically, attackers can manipulate form-data parameters in a multipart HTTP POST request to bypass security checks. The application fails to validate file type and content, and malicious scripts are then executed. This vulnerability exists because the script does not restrict the types of files accepted, nor does it ensure the files will not execute once uploaded. Attackers can insert harmful code into the uploaded files, potentially compromising the server integrity and security.

Exploiting this arbitrary file upload vulnerability can lead to severe consequences for the affected Tongda OA installations. Malicious actors can upload and execute files remotely, gaining control of important server functions. This leads to potential data theft, server manipulation, unauthorized access to sensitive information, and disruption of services. Attackers can use the server as a platform for launching more significant attacks against other systems. Once compromised, the server could propagate malware, participate in distributed attacks, and become a persistent threat to network integrity and data confidentiality.

REFERENCES

• https://github.com/zan8in/afrog/blob/main/v2/pocs/afrog-pocs/vulnerability/tongda-oa-api-ali-upload.yaml