Application Details
SysAid On-Premise is used to manage IT tasks. SysAid On-Premise also allows end users to contact IT services, regardless of their location.
Vulnerability
SysAid On-Premise could allow a remote attacker to traverse directories on the system, caused by improper archive file validation.
Identification
An attacker could use a specially crafted zlib compressed WAR file webshell containing "dot dot" sequences (/../) to control where this webshell is written on the vulnerable server. The attacker can then browse to the URL where it now resides to gain access to the server.
POST /userentry?accountId=/../../../tomcat/webapps/usersfilesDetection
By turning this into a traffic file and matching rule, we are able to detect attempts at directory traversal leading to remote code execution on the system.
Coverage
Idappcom have created signature 8024393 along with a traffic file for this vulnerability.
References
Huntress - CVE-2023-47246
Traffic IQ
If you are concerned that your business may be at risk of this vulnerability or others why not try out our Traffic IQ software which can scan your defences and report any issues. Learn more here: https://www.idappcom.co.uk/traffic-iq-professional