Coverage Advisory for CVE-2023-50164: Apache Struts Path Traversal and File Upload Vulnerability

The attacker accesses a vulnerable version of Apache Struts to send an HTTP POST request to upload a malicious file.

In the POST request, the attacker uploads a file with malicious content using the 'Upload' parameter name (instead of 'upload'). Within the same request, the attacker adds another parameter named 'uploadFileName' (instead of 'UploadFileName').

Figure 1 is a condensed example of a request.

_{Figure 1: Part of the HTTP POST request}

The 'uploadFileName' parameter contains path traversal characters (../), which manipulate the filename present in the 'Upload' parameter, allowing an attacker to bypass the built-in check - effectively evading the getCanonicalNamemethod (a method used to truncate '/' & '\' characters in the filename) - and leave the path traversal payload in the final filename. From here, the file (with the malicious payload) is uploaded to the attacker's chosen directory.

If the file contains WebShell code, the attacker can escalate access to the vulnerable server, leading to RCE and ultimately gaining access to the target server.

_{Figure 2: Attack chain depicting an attacker exploiting CVE-2023-50164}