A critical vulnerability has been identified in the Wildfire IM instant messaging solution, which could allow an unauthenticated attacker to take complete control of the server. The flaw resides in the file upload functionality, enabling an attacker to write malicious files to any location on the server's filesystem. Successful exploitation could lead to full system compromise, data theft, and severe disruption of services.

A path traversal vulnerability exists in the im-server component, specifically within the writeFileUploadData method of the com.xiaoleilu.loServer.action.UploadFileAction class. The application exposes a file upload endpoint at /fs that accepts multipart file uploads. The method responsible for saving the uploaded file fails to sanitize or validate the filename provided by the user, directly concatenating it with the server's base storage path. An unauthenticated attacker can craft a malicious request containing directory traversal sequences (e.g., ../../) in the filename to write an arbitrary file to any location on the filesystem where the application's user account has write permissions. This can be leveraged to achieve Remote Code Execution (RCE) by uploading a web shell, an SSH authorized key, a system executable, or by overwriting a system configuration file.

This vulnerability is rated as critical with a CVSS score of 9.8, reflecting the highest possible level of risk. Exploitation can lead to a complete compromise of the affected server, granting an attacker full administrative control. The potential consequences for the business include theft of sensitive data, intellectual property, and user credentials; significant service downtime and operational disruption; and reputational damage. The compromised server could also be used as a pivot point to launch further attacks against the internal network, compounding the overall risk.

Immediate Action: Organizations must immediately upgrade the affected Wildfire IM components to version 1.4.3 or later, as this version contains the necessary fix. After patching, review server access logs and filesystem for any signs of compromise, such as unexpected files in sensitive directories or suspicious POST requests to the /fs endpoint.

Proactive Monitoring: Security teams should implement enhanced monitoring to detect exploitation attempts. Specifically, monitor web server and application logs for POST requests to the /fs endpoint where the filename in the multipart data contains path traversal sequences like ../, ..\/, or their URL-encoded equivalents. Monitor for unexpected file creation or modification events in critical system directories (e.g., /etc/, /var/spool/cron/, ~/.ssh/).

Compensating Controls: If immediate patching is not feasible, implement the following compensating controls:

• Use a Web Application Firewall (WAF) to create a rule that blocks any requests to the /fs endpoint containing directory traversal patterns in the filename parameter.
• Enforce the principle of least privilege by ensuring the user account running the Wildfire IM application has restrictive write permissions, limited only to the intended upload directories.
• Implement a File Integrity Monitoring (FIM) solution to alert on unauthorized changes to critical system files and configurations.

Public Exploit Available: false

Given the critical severity (CVSS 9.8) and the direct path to Remote Code Execution, this vulnerability represents an extreme risk to the organization. We strongly recommend that all vulnerable Wildfire IM instances be patched to version 1.4.3 or later on an emergency basis. This vulnerability should be treated as the highest priority for remediation. Even without current evidence of active exploitation, its severity makes it a prime target for opportunistic and sophisticated attackers.