Urgent Update Needed for erohtar/Dasherr Dashboard to Patch Critical File Upload Vulnerability

CVECVE-2023-23607
CVSScvssV3_1: 9.8
SourceCVE-2023-23607

erohtar/Dasherr is a popular open source dashboard for managing self-hosted services. Security researchers recently discovered a high severity file upload vulnerability that could allow unauthenticated attackers to execute code on systems running affected versions of the dashboard.

The vulnerability resides in the file upload functionality of the /www/include/filesave.php script. It lacks proper validation of uploaded file types, allowing attackers to upload malicious PHP files or other code to anywhere on the server. If exploited, this could let attackers remotely control affected systems.

Attackers could simply upload a malicious PHP file to the server, such as through the dashboard’s file upload form. The web server would then treat the uploaded file as executable code and run it, granting the attacker remote command execution abilities on the machine.

All users of erohtar/Dasherr are strongly recommended to upgrade to version 1.05.00 or later immediately. This version fixes the file upload vulnerability. Users should also carefully check their servers for any signs of compromise. While upgrading prevents future exploitation, existing backdoors or access may need to be cleaned up.

It is also advisable for users to limit file upload functionality to authorized users only when possible as an additional precaution. Keeping systems up-to-date with the latest patches is likewise important for robust security. Watching for reports of vulnerabilities and responding quickly helps protect systems and data from exploitation.

References