Security Advisory - Curesec Research Team 1. Introduction Affected Product: Geeklog 2.1.0 Fixed in: 2.1.1b3 Fixed Version Link: http://ift.tt/1OTKizb Vendor Contact: geeklog-security@lists.geeklog.net Vulnerability Type: Code Execution Remote Exploitable: Yes Reported to vendor: 09/29/2015 Disclosed to public: 12/02/2015 Release mode: Coordinated release CVE: requested, but not assigned Credits Tim Coen of Curesec GmbH 2. Overview The admin area of Geeklog suffers from two vulnerabilities that can lead to code execution: OS Command Injection and Upload of Files with Dangerous Type. The arbitrary file upload is already fixed in the beta version geeklog-2.1.1b1, the OS command injection in version 2.1.1b3. 3. Upload of Files with Dangerous Type CVSS High 9.0 AV:N/AC:L/Au:S/C:C/I:C/A:C Description When uploading a file, the file type check is performed only client-side. An attacker can easily bypass this check and thus upload files of dangerous types, such as PHP files. To upload files, an attacker needs a registered user that is in the group "Filemanager Admin". Proof of Concept POST /geeklog-2.1.0/public_html/filemanager/connectors/php/filemanager.php HTTP/1.1 Host: localhost X-Requested-With: XMLHttpRequest Content-Length: 761 Content-Type: multipart/form-data; boundary
Source: Gmail -> IFTTT-> Blogger
No comments:
Post a Comment