CVE-2019-9623

Vulnerability

Feng Office 3.7.0.5 contains an arbitrary file upload vulnerability in ck_upload_handler.php that allows unauthenticated users to upload files. The uploaded files are stored in the /tmp directory, which has an .htaccess file that restricts execution of PHP files (.php, .php2, .php3, etc.). However, the vulnerability can be exploited by uploading a .shtml file containing Server-Side Include (SSI) directives, such as <!--#exec cmd="..."-->. This allows an attacker to execute arbitrary commands on the server [1][2].

Exploitation

An unauthenticated attacker can exploit this vulnerability by sending a crafted HTTP request to ck_upload_handler.php with a .shtml file that includes an SSI command. The attack steps are: upload the malicious .shtml file, then access the uploaded file via its URL. The server processes the SSI directive and executes the specified system command. No authentication or special privileges are required [1][2].

Impact

Successful exploitation allows an attacker to execute arbitrary commands on the underlying operating system with the privileges of the web server process. This can lead to full compromise of the Feng Office application and potentially the entire server, including data theft, defacement, or use as a pivot for further attacks [1][2].

Mitigation

As of the publication date, no official patch has been released for Feng Office 3.7.0.5. Affected users should consider upgrading to a newer version of Feng Office if available. Workarounds include disabling Server-Side Includes (mod_include) in the Apache configuration or implementing strict file upload validation to reject .shtml files. This vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog [1][2].