Login
OR
Don't worry. We'll fix this for you!
General hardening:
SeedDMS stores uploaded files in:
/data/<folderid>/<documentid>/<version>/<filename>
Without prior documents, the system may assign a new document ID. The exact path can be brute-forced or inferred by attempting to access: seeddms 5.1.22 exploit
http://192.168.1.100/seeddms51/data/1000/1/1/evil.php
(Cycle 1000, 1001, etc.)
Alternatively, check for predictable patterns: data/temp/ or data/cache/. General hardening:
In properly secured versions of SeedDMS, uploading a document requires:
In SeedDMS 5.1.22, the endpoint /op/op.AddFile.php had a fatal oversight: It did not verify the user's session before handling the file upload operation. Without prior documents, the system may assign a
Specifically, the function addDocument() in addfile.php calls check_access() but fails to enforce isLoggedIn() at the beginning of the request lifecycle. An attacker can bypass authentication entirely by directly posting a multipart/form-data request to the endpoint.
Check access logs for unusual POSTs to op.AddFile.php without preceding GET to out.Login.php:
grep "op.AddFile.php" /var/log/apache2/access.log | grep -B1 "POST"
If you see POST requests from an IP that never visited out.Login.php, that's a red flag.
A complete attacker workflow for SeedDMS 5.1.22:
For bulk and library orders contact us at
or
8088443860
Your Score
Your Rank
| Rank | Name | Score |
|---|