Security Advisory - Curesec Research Team 1. Introduction Affected Product: CouchCMS 1.4.5 Fixed in: 1.4.7 Fixed Version Link: http://ift.tt/1Psz3AY Vendor Website: http://ift.tt/RkwNdm Vulnerability Type: Code Execution Remote Exploitable: Yes Reported to vendor: 11/17/2015 Disclosed to public: 12/21/2015 Release mode: Coordinated Release CVE: n/a Credits Tim Coen of Curesec GmbH 2. Overview CVSS High 8.5 AV:N/AC:M/Au:S/C:C/I:C/A:C Description When uploading a file, the file extension is checked against a blacklist. This blacklist misses at the least pht, which is executed by most default Apache configurations. The uploaded file must be a valid image file, but an attacker can bypass this restriction. Admin credentials are required to upload files. A htaccess file forbids the execution of PHP code in uploaded files, but some servers are configured to not read htaccess files, for example for performance reasons. Apache for example ignores htaccess files by default since version 2.3.9. 3. Proof of Concept POST /CouchCMS-1.4.5/couch/includes/kcfinder/browse.php?type=image&lng=en&act=upload&nonce=1abb096565d868f94f727f600e8c4f61 HTTP/1.1 Host: localhost Connection: keep-alive Content-Type: multipart/form-data; boundary
Source: Gmail -> IFTTT-> Blogger
No comments:
Post a Comment