CVE-2019-17490 : What You Need to Know

In Jiangnan Online Judge (also known as jnoj) version 0.8.0, a vulnerability exists in the app\modules\polygon\controllers\ProblemController that allows attackers to upload arbitrary files, potentially leading to code execution.

Understanding CVE-2019-17490

This CVE identifies a file upload vulnerability in Jiangnan Online Judge version 0.8.0.

What is CVE-2019-17490?

The vulnerability in the ProblemController of Jiangnan Online Judge version 0.8.0 enables attackers to upload files, such as PHP code disguised as image files, to specific URIs.

The Impact of CVE-2019-17490

This vulnerability could be exploited by malicious actors to upload and execute arbitrary code on the server, leading to unauthorized access and potential data breaches.

Technical Details of CVE-2019-17490

This section provides more technical insights into the CVE.

Vulnerability Description

The flaw in app\modules\polygon\controllers\ProblemController allows for the upload of files with incorrect content types, potentially executing malicious code.

Affected Systems and Versions

Affected System: Jiangnan Online Judge (jnoj)
Affected Version: 0.8.0

Exploitation Mechanism

Attackers can exploit this vulnerability by uploading PHP code with a .php filename but with the image/png content type to specific URIs within the application.

Mitigation and Prevention

To address CVE-2019-17490, follow these mitigation strategies:

Immediate Steps to Take

Disable file uploads in the affected component.
Implement input validation to ensure uploaded files match their specified content types.
Regularly monitor and review uploaded files for suspicious content.

Long-Term Security Practices

Conduct regular security assessments and penetration testing to identify vulnerabilities.
Keep software and systems up to date with the latest security patches.

Patching and Updates

Apply patches or updates provided by the vendor to fix the file upload vulnerability in Jiangnan Online Judge version 0.8.0.