CMS Etiko Arbitrary File Upload Vulnerability

2012-10-31 / 2012-11-01
Credit: Sys32
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A
Dork: intext:\"CMS Etiko\"

# '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' # CMS Etiko Arbitrary File Upload Vulnerability # Google Dork: intext:"CMS Etiko" # Date: 27/10/2012 # Author: Sys32 # Email: tha.Sys32[at]gmail[dot]com # Vendor: http://www.etikweb.com/ # Category: Webapp # Tested on: Backtrack 5 r3 # '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' # I. INFO. # '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' # The application allows an attacker, the ability to upload a random file to the web server. # # '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' # II. Vulnerable Code. # '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' # file => files.php # # function upload_file($user_id,$path){ # global $site_url,$HTTP_POST_FILES; # # // Upload file # @mkdir($path,0775); // Make directory, if it doesn't exist # @chmod($path,0775); # # $path="$path/"; # # if($user_id==false) $user_id=date("YmdHmi"); # # $file_name="$user_id-".$HTTP_POST_FILES['image']['name']; # # if($HTTP_POST_FILES['image']['name']){ // if a file was actually uploaded # $HTTP_POST_FILES['image']['name']=str_replace("%","",$HTTP_POST_FILES['image']['name']); // remove any % signs from the file name # move_uploaded_file($HTTP_POST_FILES['image']['tmp_name'],$path.$file_name); // put the file in the directory # # $uploaded_file="$path".$file_name; # chmod($uploaded_file,0775); # return $file_name; # } # # return ""; # } # # As you can see in the code, files extensions aren't verified. # # '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' # III. EXPLOIT. # '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' # Register a new user, then login to the system, and go to the profile settings, and them upload the file throw the Picture form. # # Shell location: # # http://localhost/images/users/ # # Shell name: $user_id -your-file.php # $date("YmdHmi") -your-file.php # # # Note: You can also find your shell by viewing the source code of the user profile page that you have made. # # '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' # IV. Risk. # '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' # The security risk of arbitrary file upload is estimated as critical. # ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

References:

http://www.etikweb.com/


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top