Product: Sangfor (深信服) Product Name: Operation and Maintenance Management System (运维安全管理系统 / OSM) Affected Version: 3.0.8 (and potentially earlier versions) Vulnerability Type: OS Command Injection Description A Command Injection vulnerability exists in the Sangfor Operation and Maintenance Management System (OSM) version 3.0.8. The vulnerability is located in the endpoint within the class. The application fails to properly sanitize the parameter of the multipart/form-data upload request. Specifically, the application uses an insufficient method that filters standard file system characters but fails to neutralize shell metacharacters (such as , , ). The malicious filename is then directly concatenated into a command execution string without parameterization. Remote attackers can exploit this vulnerability to execute arbitrary system commands with the privileges of the application (typically root or tomcat). Vulnerability Details & Root Cause 1. Insecure Entry Point: The function in accepts a file upload. 2. Insufficient Sanitization: The filename is processed by , which only filters , , , , , , , , but allows semicolons ( ) and redirection operators usually permissible in filenames but dangerous in shell commands. 3. Command Injection: The code constructs a command string: . 4. Execution: The executes this concatenated string, allowing the injection of arbitrary commands via the filename. 5. Constraint: The application strictly checks that the filename length is exactly 25 characters. Proof of Concept (PoC) https://60.211.224.34:5533/ - Step 1: Send the malicious request (Payload: - Total 25 chars). - Step 2: Verify the execution. Access the output file created by the injected command: URL: (or relative path depending on deployment). Remediation 1. Strict Validation: Implement a whitelist validation for filenames (e.g., allow only alphanumeric characters and dots). 2. Avoid Shell Execution: Use Java's native file handling APIs instead of invoking . 3. Parameterization: If shell execution is necessary, use with a list of arguments instead of string concatenation to prevent argument injection.