A vulnerability was identified in jackying H-ui.admin up to 3.1. This affects an unknown function in the library /lib/webuploader/0.1.5/server/preview.php. The manipulation leads to unrestricted upload. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Critical vulnerability discovered in jackying H-ui.admin versions up to 3.1 allows for unrestricted file uploads via the /lib/webuploader/0.1.5/server/preview.php endpoint. This flaw, publicly exploitable, enables remote attackers to upload malicious files, potentially leading to system compromise and data breaches due to the vendor's lack of response.
Step 1: Target Identification: Identify a vulnerable H-ui.admin installation (version up to 3.1).
Step 2: Payload Preparation: Craft a malicious file (e.g., a web shell, PHP script) designed to execute commands on the server.
Step 3: Exploit Delivery: Send a specially crafted HTTP POST request to /lib/webuploader/0.1.5/server/preview.php with the malicious file attached as a file upload. The request bypasses the intended security checks.
Step 4: File Upload: The vulnerable script processes the request, accepts the malicious file, and saves it to a publicly accessible directory.
Step 5: Command Execution: Access the uploaded file via a web browser, triggering the execution of the malicious code, leading to remote code execution (RCE) and system compromise.
The vulnerability stems from insufficient input validation and sanitization within the preview.php script, specifically related to the handling of uploaded files. The script likely fails to properly verify file types, sizes, or destinations, allowing an attacker to upload arbitrary files, including web shells or other malicious payloads. The root cause is a missing or inadequate check on the file extension or content type, combined with a lack of proper access control to the upload directory. This allows an attacker to bypass security measures and place malicious files on the server.