Chengdu Flash Flood Disaster Monitoring and Warning System FileHandler.ashx unrestricted upload
Description
A vulnerability classified as problematic was found in Chengdu Flash Flood Disaster Monitoring and Warning System 2.0. This vulnerability affects unknown code of the file /Service/FileHandler.ashx. The manipulation of the argument userFile leads to unrestricted upload. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-235072. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Chengdu Flash Flood Disaster Monitoring and Warning System 2.0 allows unrestricted file upload via /Service/FileHandler.ashx, enabling remote code execution.
Vulnerability
A problematic unrestricted file upload vulnerability exists in Chengdu Flash Flood Disaster Monitoring and Warning System version 2.0. The flaw resides in the /Service/FileHandler.ashx endpoint, specifically within the SaveFile and WriteFile functions of the MFCW.Web.Service.FileHandler class (in \bin\MFCW.Web.dll). The userFile parameter is not filtered by file type, allowing an attacker to upload arbitrary files, including ASP.NET web shells [1].
Exploitation
An attacker can exploit this vulnerability without authentication by sending a crafted HTTP POST request to the vulnerable endpoint. The request must include the parameters Action=Upload, FileDirectory (e.g., E:/SCWJ/Official/Web/MFCW/Upload/), FileName (e.g., 111.aspx), and StartByte=0, with the malicious file content supplied as multipart form-data under the userFile field [1]. The provided proof-of-concept uploads an ASPX web shell that uses a hardcoded decryption key to execute arbitrary .NET assemblies. Although the server reports an error, the file is successfully saved to the specified directory [1].
Impact
Successful exploitation allows an attacker to achieve remote code execution (RCE) on the web server with the privileges of the application pool. The attacker gains full control over the system, including the ability to execute arbitrary commands, read, write, or delete files, and pivot to internal network resources [1].
Mitigation
Chengdu Flash Flood Disaster Monitoring and Warning System 2.0 is end-of-life (EOL) or unmaintained; the vendor did not respond to disclosure attempts [1]. No official patch or fix is available. As a workaround, the vulnerable /Service/FileHandler.ashx endpoint should be disabled or blocked via web server configuration (e.g., URL rewrite rules or a web application firewall). Affected organizations should immediately upgrade to a supported alternative system if available.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Chengdu/Flash Flood Disaster Monitoring and Warning Systemv5Range: 2.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing file-type validation in the WriteFile function allows unrestricted upload of executable script files."
Attack vector
An attacker sends a POST request to `/Service/FileHandler.ashx` with the query parameters `Action=Upload`, a writable `FileDirectory`, a chosen `FileName` (e.g., `111.aspx`), and `StartByte=0`. The request body contains a `multipart/form-data` payload where the `userFile` part carries ASP.NET webshell code. Because the server does not validate the file extension or content, the `.aspx` file is written to the specified directory, giving the attacker a webshell on the server [ref_id=1].
Affected code
The vulnerability resides in the file `/Service/FileHandler.ashx` within the `MFCW.Web.Service.FileHandler` class (compiled in `\bin\MFCW.Web.dll`). The `SaveFile` function is entered when `Action=Upload` is passed, and the subsequent `WriteFile` function writes the uploaded file without filtering the file type [ref_id=1].
What the fix does
No patch or vendor response is available; the vendor was contacted but did not reply [ref_id=1]. The advisory recommends that the application should validate the file extension and content type before writing uploaded files, and restrict the upload directory to prevent execution of script files. Without a fix, the system remains vulnerable to arbitrary file upload.
Preconditions
- networkThe target must be running Chengdu Flash Flood Disaster Monitoring and Warning System 2.0 with the /Service/FileHandler.ashx endpoint exposed.
- authNo authentication is required; the endpoint is publicly accessible.
- inputThe attacker must know or guess a writable FileDirectory path on the server.
Reproduction
1. Identify a target running the vulnerable system. 2. Send the following POST request (adjust `Host` and `FileDirectory` as needed): `POST /Service/FileHandler.ashx?Action=Upload&FileDirectory=E:/SCWJ/Official/Web/MFCW/Upload/&FileName=111.aspx&StartByte=0 HTTP/1.1` with a `multipart/form-data` body containing a `userFile` part whose content is an ASP.NET webshell payload (e.g., the one shown in the PoC). 3. The server may return an error, but the file is still written to the specified directory. 4. Access the uploaded `.aspx` file via a browser to execute the webshell [ref_id=1].
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- github.com/yueying638/cve/blob/main/upload.mdmitreexploit
- vuldb.commitresignaturepermissions-required
- vuldb.commitrevdb-entrytechnical-description
News mentions
0No linked articles in our index yet.