CVE-2020-37091

Vulnerability

Overview

Maian Support Helpdesk 4.3 lacks cross-site request forgery (CSRF) protections on its administrative functions. An attacker can craft a malicious HTML form that, when submitted by an authenticated administrator, creates a new administrative account or uploads arbitrary files through the FAQ attachment system. The FAQ file upload mechanism imposes no restrictions on file type, enabling the upload enabling PHP code execution [1][2][3].

ExploitationThe attack requires no authentication; the victim to visit a page controlled by the attacker while logged into the helpdesk. The provided proof-of-concept demonstrates a form that silently adds an admin user with a known password. A second vector uses the same technique to upload a PHP web shell via the FAQ attachment field, bypassing any file-type restrictions [2][3].

ImpactSuccessful exploitation grants the attacker full administrative access to the helpdesk. With admin privileges, the attacker can further abuse the unrestricted file upload to execute arbitrary PHP code on the server, leading to complete compromise of the application and underlying system [1][2][3].

MitigationAs of the advisory date, no patch has been released. The vendor has not acknowledged the vulnerability. Users should implement CSRF tokens on all state-changing requests and restrict file uploads to safe types. Until a fix is available, consider using a web application firewall to detect and block malicious requests [1][1][2][3].