CVE-2018-14441

Vulnerability

The admin/admin/fileUploadAction_fileUpload.action endpoint in cckevincyh SSH CompanyWebsite (through 2018-05-03) does not validate the uploaded file type. An attacker can upload a .jsp file by setting the Content-Type header to image/jpeg, bypassing any client-side checks. The file is stored on the server and can be accessed directly, leading to arbitrary code execution [1].

Exploitation

An attacker with network access to the admin interface can send a crafted HTTP POST request to /CompanyWebsite/admin/admin/fileUploadAction_fileUpload.action. The request includes a multipart form with a file named 123.jsp and Content-Type: image/jpeg. The server accepts the file and stores it, making it accessible via the web root. No authentication is required beyond access to the admin panel [1].

Impact

Successful exploitation allows the attacker to execute arbitrary Java code on the server in the context of the web application. This can lead to full compromise of the web server, including data theft, defacement, or further lateral movement within the network.

Mitigation

No official fix has been released as the project appears unmaintained. The only mitigation is to restrict network access to the admin panel, remove the vulnerable endpoint, or upgrade to a patched fork if available. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.