> About Author
Hi, I'm Sharon, a product manager at Chaitin Tech. We build SafeLine, an open-source Web Application Firewall built for real-world threats. While SafeLine focuses on HTTP-layer protection, our emergency response center monitors and responds to RCE and authentication vulnerabilities across the stack to help developers stay safe.
Kingdee Cloud Galaxy is a popular enterprise-grade ERP platform used in finance, supply chain, and business process management.
In November 2023, security researchers publicly disclosed a critical arbitrary file upload vulnerability in its ScpSupRegHandler
module.
The flaw is easy to exploit β public PoCs are already circulating β allowing attackers to upload malicious files and potentially gain full control of the server.
Vulnerability Overview
The core issue lies in insecure file upload handling β one of the most common yet dangerous flaws in web applications.
Hereβs what went wrong:
- Weak file extension checks: The backend failed to properly validate the file type.
-
Improper path sanitization: The upload handler didnβt prevent directory traversal sequences like
../../../../
, enabling attackers to escape the intended upload directory.
By crafting a malicious file (e.g., .jsp
webshell) with a specially designed filename, an attacker can drop it into an unintended server directory β such as a web-accessible path β and execute arbitrary commands.
Exploitation Patterns
From a traffic analysis perspective, malicious uploads stand out in HTTP POST requests containing unusual file paths, especially with multiple ../
sequences.
This is a classic directory traversal indicator.
Impact
If exploited successfully, attackers can:
- Upload files anywhere on the server
- Deploy webshells or malware
- Tamper with existing files
- Gain remote code execution (RCE) and pivot further into the network
- Steal sensitive data or use the compromised server for other attacks
Severity: High β this flaw can lead to full server compromise.
Affected Versions
- Kingdee Cloud Galaxy Enterprise Private Cloud
- Enterprise Private Cloud (Subscription)
- Standard Private Cloud (Subscription)
Versions: V6.2 (incl. Dec 2017 patch) β V8.1 (incl. Sept 2023 patch)
Mitigation & Fix
Temporary Workarounds:
- Disable file upload functionality if itβs not business-critical.
- Restrict system exposure:
- Remove from public internet
- Apply network ACLs to allow only trusted IP ranges
Permanent Fix:
- Upgrade to the patched version provided by Kingdee. Official advisory: Kingdee Security Patch Contact Kingdee Support for installation packages or assistance.
Reproduction (PoC)
- Upload a malicious file via the vulnerable
ScpSupRegHandler
endpoint
- Access the uploaded file via browser to execute commands on the server
Product Detection Support
- YunTu / DongJian: Supports fingerprint recognition and PoC-based detection for this vulnerability.
- SafeLine / QuanXi: Detects exploitation attempts out of the box.
Timeline
- 2023-10-26 β Official patch released
- 2023-11-01 β Vulnerability publicly disclosed online
- 2023-11-16 β Chaitin Emergency Response Lab analysis & reproduction
- 2023-11-16 β Chaitin CSRC published advisory
References
Join the SafeLine Community
If you continue to experience issues, feel free to contact SafeLine support for further assistance.
Top comments (0)