Skip to content
cyberexploits
webappphptext

Wolf CMS - Arbitrary File Upload / Execution

Wolf CMS - Arbitrary File Upload / Execution

Publié le 2015-08-28

Code source

Épinglé au commit 7eac4c3a2ce5
textplatforms/php/webapps/38000.txt7eac4c3a
raw
# Exploit Title    : Wolf CMS 0.8.2  Arbitrary File Upload To Command

Execution

# Reported Date    : 05-May-2015

# Fixed Date       : 10-August-2015

# Exploit Author   : Narendra Bhati

# CVE ID           : CVE-2015-6567 , CVE-2015-6568

# Contact:

* Facebook         : https://facebook.com/narendradewsoft

*Twitter           : http://twitter.com/NarendraBhatiB

# Website          : http://websecgeeks.com

# Additional Links -

* https://github.com/wolfcms/wolfcms/releases/

* https://www.wolfcms.org/blog/2015/08/10/releasing-wolf-cms-0-8-3-1.html



#For POC -

http://websecgeeks.com/wolf-cms-arbitrary-file-upload-to-command-execution/



1. Description



Every registered users who have access of upload functionality can upload

an Arbitrary File Upload To perform Command Execution



Vulnerable URL



http://targetsite.com/wolfcms/?/admin/plugin/file_manager/browse/



Vulnerable Parameter



"filename"





2. Proof of Concept



A)Login as regular user ( who have access upload functionality )



B)Go to this page  -

http://targetsite.com/wolfcms/?/admin/plugin/file_manager/browse/



C)Select upload an file option to upload Arbitary File ( filename ex:

"hello.php" )



D)Now you can access the file by here -

http://targetsite.com/wolfcms/public/hello.php





3. Solution:



Update to version 0.8.3.1

http://www.wolfcms.org/download.html



=============



-- 

*Narendra Bhati "CEH" **( Facebook

<http://www.facebook.com/narendradewsoft> , Twitter

<http://www.twitter.com/NarendraBhatiB> , LinkedIn

<https://www.linkedin.com/profile/view?id=115146074> , Personal Blog )*

*Security Analyst - IT Risk & Security Management Services*

Suma Soft Pvt. Ltd. | Suma Center | Near Mangeshkar Hospital | Erandawane

Pune: 411004 |



*======================================================================*

Voir sur GitHub