lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 22 Aug 2011 11:18:00 GMT
From: eidelweiss@...dowslive.com
To: bugtraq@...urityfocus.com
Subject: JagoanStore CMS Arbitary file upload vulnerability

Software: JagoanStore CMS
Vendor: www.jagoanstore.com
Price: Rp.900.000 (IDR)
Vuln Type:  Arbitary file upload
 
Author: eidelweiss
contact: eidelweiss[at]windowslive[dot]com
Home: www.eidelweiss-advisories.blogspot.com
Gratz: Devilzc0de, YOGYACARDERLINK, and YOU !!!
 
References: http://eidelweiss-advisories.blogspot.com/2011/08/jagoanstore-cms-arbitary-file-upload.html
 
 
===================================================================
 
    description:
JagoanStore, adalah CMS untuk membuat toko online.
JagoanStore dibuat tidak hanya berdasar pada hal teknis pembuatan website, dalam pembuatannya juga di desain untuk membuat web toko online Anda mampu menjadi senjata ampuh bagi bisnis Anda.
Kini Anda tinggal fokus pada peningkatan penjualan online Anda.
 
----------------------------------
    Vulnerability details:
 
JagoanStore CMS is using the old version of FCKeditor for upload file to all user.And all know the old version of FCKeditor have a vulnerability and attacker might be able to upload arbitrary files containing malicious PHP code due to multiple file extensions isn't properly checked.
Here is the code:
 
    /manage/fckeditor/editor/filemanager/connectors/php/config.php
 
global $Config ;
 
// SECURITY: You must explicitly enable this "connector". (Set it to "true").
// WARNING: don't just set "$Config['Enabled'] = true ;", you must be sure that only
//      authenticated users can access this file or use some kind of session checking.
$Config['Enabled'] = true ; // <= 1
 
---
 
// Path to user files relative to the document root.
$Config['UserFilesPath'] = '/userfiles/' ;  // <= here is the path of attacker file or shell backdoor will be placed.
 
// following setting enabled.
$Config['ForceSingleExtension'] = true ;    // <= 2
 
$Config['AllowedExtensions']['File']    = array('7z', 'aiff', 'asf', 'avi', 'bmp', 'csv', 'doc', 'fla', 'flv', 'gif', 'gz', 'gzip', 'jpeg', 'jpg', 'mid', 'mov', 'mp3', 'mp4', 'mpc', 'mpeg', 'mpg', 'ods', 'odt', 'pdf', 'png', 'ppt', 'pxd', 'qt', 'ram', 'rar', 'rm', 'rmi', 'rmvb', 'rtf', 'sdc', 'sitd', 'swf', 'sxc', 'sxw', 'tar', 'tgz', 'tif', 'tiff', 'txt', 'vsd', 'wav', 'wma', 'wmv', 'xls', 'xml', 'zip') ;   // <= 3
 
$Config['AllowedExtensions']['Image']	= array('bmp','gif','jpeg','jpg','png') ; 
---
 
with a default configuration of this script, an attacker might be able to upload arbitrary files containing malicious PHP code due to multiple file extensions isn't properly checked
 
 
----------------------------------
 
    exploit & p0c
 
[!] http://host/manage/fckeditor/editor/filemanager/connectors/uploadtest.html    // upload your file here
    or
[!] http://host/path_to_CMSBalitbang/manage/fckeditor/editor/filemanager/connectors/uploadtest.html
 
    your shell or file will be placed here
 
[!] http://localhost/userfiles/ <= here
 
Nb: You can use trick from pentesters.ir about FCKeditor :D  
 
Advisories Time:
 
08-14-2011 (GMT+7) Bug Founded
08-15-2011 (GMT+7) Bug Reported to Vendor
08-21-2011 (GMT+7) Vendor respon and do patching (contact via online chat) :D
08-22-2011 (GMT+7) Advisories Publish
 
====================================================================
 
    Nothing Impossible In This World Even Nobody`s Perfect
 
===================================================================
 
==========================| -=[ E0F ]=- |==========================

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux - Powered by OpenVZ