Source: cna@vuldb.com
A vulnerability was identified in jackying H-ui.admin up to 3.1. This affects an unknown function in the library /lib/webuploader/0.1.5/server/preview.php. The manipulation leads to unrestricted upload. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Critical vulnerability discovered in jackying H-ui.admin versions up to 3.1 allows for unrestricted file uploads via the /lib/webuploader/0.1.5/server/preview.php endpoint. This flaw, publicly exploitable, enables remote attackers to upload malicious files, potentially leading to system compromise and data breaches due to the vendor's lack of response.
Step 1: Target Identification: Identify a vulnerable H-ui.admin installation (version up to 3.1).
Step 2: Payload Preparation: Craft a malicious file (e.g., a web shell, PHP script) designed to execute commands on the server.
Step 3: Exploit Delivery: Send a specially crafted HTTP POST request to /lib/webuploader/0.1.5/server/preview.php with the malicious file attached as a file upload. The request bypasses the intended security checks.
Step 4: File Upload: The vulnerable script processes the request, accepts the malicious file, and saves it to a publicly accessible directory.
Step 5: Command Execution: Access the uploaded file via a web browser, triggering the execution of the malicious code, leading to remote code execution (RCE) and system compromise.
The vulnerability stems from insufficient input validation and sanitization within the preview.php script, specifically related to the handling of uploaded files. The script likely fails to properly verify file types, sizes, or destinations, allowing an attacker to upload arbitrary files, including web shells or other malicious payloads. The root cause is a missing or inadequate check on the file extension or content type, combined with a lack of proper access control to the upload directory. This allows an attacker to bypass security measures and place malicious files on the server.
Due to the public availability of the exploit and the ease of exploitation, this vulnerability poses a significant threat. While no specific APTs are directly linked at this time, the nature of the vulnerability makes it attractive to various threat actors, including those seeking to establish a foothold for further attacks. Not currently listed on CISA KEV, but likely to be added soon.
Monitor web server logs for suspicious POST requests to /lib/webuploader/0.1.5/server/preview.php with file upload parameters.
Analyze uploaded files for malicious content, such as web shell code or suspicious file extensions.
Implement file integrity monitoring to detect unauthorized file modifications.
Network Intrusion Detection Systems (NIDS) should be configured to detect malicious payloads within HTTP POST requests.
Monitor for unusual outbound network connections from the web server, which could indicate command and control activity.
Upgrade to a patched version of H-ui.admin (if available).
Implement robust input validation and sanitization on all file uploads, including file type, size, and content checks.
Restrict access to the upload directory, preventing direct execution of uploaded files.
Implement a web application firewall (WAF) to filter malicious requests.
Regularly scan the system for known vulnerabilities and apply security patches promptly.
Consider using a content delivery network (CDN) to host static content and reduce the attack surface.