Description
HUSTOF is an open source online judge based on PHP/C++/MySQL/Linux for ACM/ICPC and NOIP training. Prior to version 26.01.24, the problem_import_qduoj.php and problem_import_hoj.php modules fail to properly sanitize filenames within uploaded ZIP archives. Attackers can craft a malicious ZIP file containing files with path traversal sequences (e.g., ../../shell.php). When extracted by the server, this allows writing files to arbitrary locations in the web root, leading to Remote Code Execution (RCE). Version 26.01.24 contains a fix for the issue.
EPSS Score:
0%
Comprehensive Technical Analysis of EUVD-2026-4836 (CVE-2026-24479)
Vulnerability: Arbitrary File Write via ZIP Path Traversal Leading to Remote Code Execution (RCE) in HUSTOF (HUSTOJ)
1. Vulnerability Assessment and Severity Evaluation
Vulnerability Overview
EUVD-2026-4836 (CVE-2026-24479) is a critical path traversal vulnerability in HUSTOF (HUSTOJ), an open-source online judge system used for ACM/ICPC and NOIP training. The flaw resides in the problem_import_qduoj.php and problem_import_hoj.php modules, which fail to properly sanitize filenames within uploaded ZIP archives. Attackers can exploit this by crafting a malicious ZIP file containing files with directory traversal sequences (e.g., ../../shell.php), allowing arbitrary file writes to the web root and subsequent Remote Code Execution (RCE).
CVSS v4.0 Severity Analysis
| Metric | Value | Explanation |
|---|---|---|
| Attack Vector (AV) | Network (N) | Exploitable remotely via HTTP(S). |
| Attack Complexity (AC) | Low (L) | No special conditions required. |
| Attack Requirements (AT) | None (N) | No user interaction or prior access needed. |
| Privileges Required (PR) | None (N) | Unauthenticated exploitation possible. |
| User Interaction (UI) | None (N) | No user action required. |
| Vulnerable Confidentiality (VC) | High (H) | Full system compromise possible. |
| Vulnerable Integrity (VI) | High (H) | Arbitrary file writes enable code execution. |
| Vulnerable Availability (VA) | High (H) | System takeover can disrupt services. |
| Subsequent Confidentiality (SC) | None (N) | No further impact beyond initial compromise. |
| Subsequent Integrity (SI) | None (N) | No additional integrity impact. |
| Subsequent Availability (SA) | None (N) | No further availability impact. |
Base Score: 9.3 (Critical) The vulnerability is remotely exploitable without authentication, requires no user interaction, and leads to full system compromise, justifying its Critical severity rating.
2. Potential Attack Vectors and Exploitation Methods
Exploitation Workflow
-
Crafting the Malicious ZIP Archive
- An attacker creates a ZIP file containing a PHP webshell (e.g.,
shell.php) with a path traversal payload in the filename:../../../../var/www/html/shell.php - The ZIP file may also include legitimate problem files to evade suspicion.
- An attacker creates a ZIP file containing a PHP webshell (e.g.,
-
Uploading the ZIP File
- The attacker submits the ZIP file via the problem import functionality (
problem_import_qduoj.phporproblem_import_hoj.php). - The vulnerable module extracts the ZIP without sanitizing filenames, allowing the traversal sequence to write the file outside the intended directory.
- The attacker submits the ZIP file via the problem import functionality (
-
Achieving Remote Code Execution (RCE)
- Once the webshell is written to the web root (e.g.,
/var/www/html/shell.php), the attacker accesses it via HTTP:http://<target>/shell.php?cmd=id - The attacker can now execute arbitrary commands on the server.
- Once the webshell is written to the web root (e.g.,
Alternative Exploitation Scenarios
- Privilege Escalation via Cron Jobs or SUID Binaries
- If the web server runs as a privileged user (e.g.,
www-datawith sudo access), the attacker may escalate privileges by writing to/etc/cron.d/or/etc/sudoers.d/.
- If the web server runs as a privileged user (e.g.,
- Persistence via Backdoor Installation
- The attacker may install a reverse shell or SSH key for persistent access.
- Lateral Movement in Multi-Server Deployments
- If HUSTOJ is part of a larger training platform, the attacker may pivot to other systems.
Proof-of-Concept (PoC) Exploit
# Create a malicious ZIP with path traversal
echo '<?php system($_GET["cmd"]); ?>' > shell.php
zip malicious.zip "../../var/www/html/shell.php"
# Upload via vulnerable endpoint (e.g., via cURL)
curl -F "file=@malicious.zip" http://<target>/problem_import_qduoj.php
3. Affected Systems and Software Versions
Vulnerable Software
- Product: HUSTOF (HUSTOJ)
- Vendor: zhblue
- Affected Versions: All versions prior to 26.01.24
- Fixed Version: 26.01.24 (commit
902bd09e6d0011fe89cd84d4236899314b33101f)
Deployment Context
- Primary Use Case: Online programming judges for ACM/ICPC and NOIP training.
- Common Deployments:
- University and educational institution servers.
- Competitive programming platforms.
- Cloud-based training environments.
- Operating Systems: Linux (Ubuntu, CentOS, Debian).
- Web Servers: Apache, Nginx.
- Database: MySQL.
Detection Methods
- Manual Inspection:
- Check for the presence of
problem_import_qduoj.phpandproblem_import_hoj.phpin the web root. - Verify the HUSTOJ version (
version.txtor Git commit history).
- Check for the presence of
- Automated Scanning:
- Nuclei Template:
id: hustoj-cve-2026-24479 info: name: HUSTOJ ZIP Path Traversal RCE severity: critical reference: https://github.com/zhblue/hustoj/security/advisories/GHSA-xmgg-2rw4-7fxj requests: - method: GET path: - "{{BaseURL}}/problem_import_qduoj.php" - "{{BaseURL}}/problem_import_hoj.php" matchers: - type: word words: - "HUSTOJ" - "problem_import" - Metasploit Module: (Expected to be released post-disclosure)
- Nuclei Template:
4. Recommended Mitigation Strategies
Immediate Actions
-
Upgrade to the Latest Version
- Apply the patch in HUSTOJ v26.01.24 or later:
git clone https://github.com/zhblue/hustoj.git cd hustoj git checkout 902bd09e6d0011fe89cd84d4236899314b33101f - Alternatively, manually apply the fix from the GitHub commit.
- Apply the patch in HUSTOJ v26.01.24 or later:
-
Temporary Workarounds (If Upgrade Not Possible)
- Disable ZIP Uploads:
- Remove or restrict access to
problem_import_qduoj.phpandproblem_import_hoj.php.
- Remove or restrict access to
- File Upload Restrictions:
- Configure the web server to block ZIP uploads or enforce strict filename validation.
- Chroot Jail for ZIP Extraction:
- Use
unzip -: -d /safe/directoryto prevent path traversal.
- Use
- Web Application Firewall (WAF) Rules:
- Deploy ModSecurity rules to block ZIP files containing
../sequences.
- Deploy ModSecurity rules to block ZIP files containing
- Disable ZIP Uploads:
-
System Hardening
- Least Privilege Principle:
- Run the web server (
www-dataornginx) with minimal permissions.
- Run the web server (
- Filesystem Restrictions:
- Use
chmod 750on sensitive directories (e.g.,/var/www/html).
- Use
- Disable Dangerous PHP Functions:
- In
php.ini, set:disable_functions = exec,passthru,shell_exec,system
- In
- Least Privilege Principle:
Long-Term Mitigations
- Regular Security Audits:
- Conduct static (SAST) and dynamic (DAST) analysis of the codebase.
- Dependency Management:
- Monitor for vulnerabilities in PHP, MySQL, and Linux dependencies.
- Incident Response Planning:
- Develop a playbook for RCE exploitation scenarios, including forensic analysis and containment.
5. Impact on the European Cybersecurity Landscape
Threat Landscape Implications
-
Targeting Educational Institutions
- HUSTOJ is widely used in European universities (e.g., ETH Zurich, TU Munich, Sorbonne) for programming competitions.
- Attackers may exploit this to compromise research data, student records, or grading systems.
-
Supply Chain Risks
- If HUSTOJ is integrated into larger e-learning platforms, a single compromise could lead to widespread breaches.
- Example: A vulnerable HUSTOJ instance in a European Commission-funded training program could expose sensitive data.
-
Compliance and Regulatory Risks
- GDPR (Article 32 - Security of Processing):
- Failure to patch may result in fines up to €20M or 4% of global revenue.
- NIS2 Directive (Critical Entities):
- Universities and research institutions may be classified as essential entities, requiring mandatory vulnerability management.
- GDPR (Article 32 - Security of Processing):
-
Exploitation by APT Groups
- State-sponsored actors (e.g., APT29, Sandworm) may leverage this for espionage or disruption in academic and research sectors.
- Cybercriminals may use it for cryptojacking, ransomware, or data exfiltration.
European Response Coordination
- ENISA (European Union Agency for Cybersecurity):
- Likely to issue an alert via the EU Cybersecurity Atlas.
- May recommend mandatory patching for public sector entities.
- CERT-EU:
- Will monitor for active exploitation and issue advisories to member states.
- National CSIRTs (e.g., CERT-FR, BSI, NCSC-NL):
- Will disseminate technical guidance to affected organizations.
6. Technical Details for Security Professionals
Root Cause Analysis
The vulnerability stems from improper input validation in the ZIP extraction logic. The affected modules:
- Accept ZIP uploads without verifying file paths.
- Use PHP’s
ZipArchiveclass without sanitizing filenames:$zip = new ZipArchive; if ($zip->open($tmp_name) === TRUE) { $zip->extractTo($target_dir); // No path traversal checks $zip->close(); } - Allow arbitrary file writes due to relative path traversal (
../).
Patch Analysis
The fix in commit 902bd09e introduces:
- Filename Sanitization:
$filename = basename($zip->getNameIndex($i)); // Strips directory traversal - Strict Extraction Path Enforcement:
$safe_path = $target_dir . DIRECTORY_SEPARATOR . $filename; if (strpos($safe_path, $target_dir) !== 0) { die("Invalid file path detected."); } - File Extension Whitelisting:
- Only allows
.cpp,.php,.txt, etc., for problem files.
- Only allows
Forensic Indicators of Compromise (IOCs)
| Indicator | Description |
|---|---|
| File System | Unexpected .php files in /var/www/html/. |
| Web Server Logs | POST /problem_import_qduoj.php with ZIP uploads. |
| Process Execution | Unusual php, bash, or python processes spawned by www-data. |
| Network Traffic | Outbound connections to attacker-controlled C2 servers. |
| ZIP Metadata | ZIP files with filenames containing ../ or absolute paths. |
Exploitation Detection via SIEM Rules
Splunk Query:
index=web sourcetype=access_* uri_path="/problem_import_qduoj.php" OR uri_path="/problem_import_hoj.php"
| search form_data="*.zip"
| stats count by src_ip, uri_path, file_name
| where match(file_name, "\.\./")
Sigma Rule:
title: HUSTOJ ZIP Path Traversal Exploitation Attempt
id: 1a2b3c4d-5e6f-7g8h-9i0j-k1l2m3n4o5p6
status: experimental
description: Detects ZIP uploads with path traversal sequences in HUSTOJ.
references:
- https://github.com/zhblue/hustoj/security/advisories/GHSA-xmgg-2rw4-7fxj
author: EUVD Monitoring Team
date: 2026/01/27
logsource:
category: webserver
product: apache
service: access
detection:
selection:
cs-method: 'POST'
cs-uri-stem:
- '/problem_import_qduoj.php'
- '/problem_import_hoj.php'
cs-uri-query|contains: '.zip'
condition: selection and cs-uri-query|contains: '../'
falsepositives:
- Legitimate problem uploads (unlikely to contain traversal)
level: critical
Conclusion
EUVD-2026-4836 (CVE-2026-24479) represents a Critical RCE vulnerability in HUSTOJ, posing significant risks to European educational and research institutions. The flaw is trivially exploitable and requires immediate patching to prevent system compromise. Security teams should:
- Patch or upgrade to HUSTOJ v26.01.24.
- Monitor for exploitation attempts via SIEM and WAF rules.
- Harden systems to limit the impact of potential breaches.
Given the widespread use of HUSTOJ in academia, this vulnerability could have far-reaching consequences if left unaddressed. Proactive mitigation is essential to safeguard sensitive data and maintain compliance with GDPR and NIS2.