Security Advisory - Curesec Research Team 1. Introduction Affected Product: Elefant CMS 1.3.12-RC Fixed in: 1.3.13 Fixed Version http://ift.tt/2kNFkut Link: elefant_1_3_13_rc Vendor Website: http://ift.tt/1G6Va79 Vulnerability Code Execution Type: Remote Yes Exploitable: Reported to 09/05/2016 vendor: Disclosed to 02/02/2017 public: Release mode: Coordinated Release CVE: n/a (not requested) Credits Tim Coen of Curesec GmbH 2. Overview Elefant is a content managment system written in PHP. In version 1.3.12-RC, it is vulnerable to code execution because of two different vulnerabilities. It allows the upload of files with dangerous type, as well as PHP code injection. An account is required to exploit these issues. 3. Details Upload of file with dangerous type CVSS: High 9.0 AV:N/AC:L/Au:S/C:C/I:C/A:C The file upload forbids the uploading of files with the .php extension, but allows uploading of files with a number of other dangerous extensions leading to code execution and XSS. A user account is required which has the right to upload and manage files. By default, the editor or admin role have this right. Proof of Concept: POST /filemanager/upload/drop HTTP/1.1 Host: localhost Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/ form-data; boundary
Source: Gmail -> IFTTT-> Blogger
No comments:
Post a Comment