QID 150524

WSO2 is an open-source technology. It offers an enterprise platform for integrating application programming interfaces, applications, and web services locally and across the Internet.

Due to improper validation of user input, a malicious actor could upload an arbitrary file to a user controlled location of the server. By leveraging the arbitrary file upload vulnerability, it is further possible to gain remote code execution on the server.

Affected Products:
WSO2 API Manager 2.2.0, up to 4.0.0
WSO2 Identity Server 5.2.0, up to 5.11.0
WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0, 5.6.0
WSO2 Identity Server as Key Manager 5.3.0, up to 5.11.0
WSO2 Enterprise Integrator 6.2.0, up to 6.6.0
WSO2 Open Banking AM 1.4.0, up to 2.0.0
WSO2 Open Banking KM 1.4.0, up to 2.0.0

QID Detection Logic (Unauthenticated):
The QID uploads the JSP file to the server. This is achieved by sending a POST request containing the payload in the request body to the vulnerable endpoint "fileupload/toolsAny". The payload will create a file called Qualys-WAS-150524.jsp which will cat the content of "/etc/passwd" file and based on the response confirms if the target is vulnerable.

By leveraging the vulnerability, a malicious actor may perform Remote Code Execution by uploading a specially crafted payload.