logahead UNU edition 1.0 Remote File Upload & code execution

2006.12.29
Credit: CorryL
Risk: High
Local: No
Remote: Yes
CWE: CWE-287


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

-=[--------------------ADVISORY-------------------]=- logahead UNU edition 1.0 Author: CorryL [corryl80 (at) gmail (dot) com [email concealed]] -=[-----------------------------------------------]=- -=[+] Application: logahead UNU edition -=[+] Version: 1.0 -=[+] Vendor's URL: http://typo.i24.cc/logahead/ -=[+] Platform: WindowsLinuxUnix -=[+] Bug type: Remote Upload file & Code execution -=[+] Exploitation: Remote -=[-] -=[+] Author: CorryL ~ corryl80[at]gmail[dot]com ~ -=[+] Reference: www.x0n3-h4ck.org -=[+] Virtual Office: http://www.kasamba.com/CorryL -=[+] Irc Chan: irc.darksin.net #x0n3-h4ck -=[+] Special Thanks: Merry Christmas for All, Thanks for all #x0n3-h4ck member, un saluto a tutti gli avolesi nel mondo. ..::[ Descriprion ]::.. You might already have heard of logahead - the ajaxified blogging engine using PHP4 and mySQL database by James from the UK. The UNU edition is based on the logahead beta 1.0 code published under GNU/GPL license. While the original version sticks to the basic functions of a blog (mainly publishing posts and receiving comments), the UNU edition is more enchanted and offers a number of additional features. ..::[ Bug ]::.. My give searches the form Widgets of this blog is results vulnerability, in fact a remote attaker is able to upload also a file php, and to perform arbitrary commands inside the server victim. ..::[ Proof Of Concept ]::.. http://www.server-victim/extras/plugins/widged/_widged.php?A=U&D= ..::[ Disclousure Timeline ]::.. [25/12/2006] - Public disclousure


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top