A vulnerability has been found in xnx3 wangmarket up to 6.4. The impacted element is the function uploadImage of the file /sits/uploadImage.do of the component XML File Handler. The manipulation of the argument image leads to unrestricted upload. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Critical vulnerability discovered in xnx3 wangmarket versions up to 6.4 allows for unrestricted file upload via the /sits/uploadImage.do endpoint. This flaw, stemming from improper handling of the image argument, could lead to remote code execution (RCE) and complete system compromise, as the vendor has failed to address the issue despite prior notification.
Step 1: Craft Malicious Payload: The attacker creates a malicious file (e.g., a web shell, PHP script, or other executable) designed to be uploaded and executed on the server.
Step 2: Construct HTTP Request: The attacker crafts an HTTP POST request to the /sits/uploadImage.do endpoint. This request includes the malicious file as the value for the image argument, typically encoded as a multipart/form-data payload.
Step 3: Bypass Validation: The crafted request bypasses any existing input validation or file type checks implemented by the vulnerable application. The lack of proper validation allows the malicious file to be accepted.
Step 4: File Upload: The server processes the request and uploads the malicious file to a designated directory, likely within the web server's document root.
Step 5: Code Execution: The attacker accesses the uploaded file via a web browser or other HTTP client, triggering the execution of the malicious code. This could lead to remote code execution (RCE), allowing the attacker to execute commands on the server, potentially gaining full control of the system.
The vulnerability lies within the uploadImage function in /sits/uploadImage.do. The root cause is a lack of proper input validation and sanitization of the image argument. Specifically, the application fails to adequately check the file type, size, or content of the uploaded file. This allows an attacker to upload malicious files, such as web shells or executable scripts, to a publicly accessible directory. The absence of proper access controls or file extension filtering further exacerbates the issue, enabling attackers to execute arbitrary code on the server. The vendor's failure to respond to the vulnerability report indicates a lack of security awareness and potentially increases the risk of exploitation.