lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 16 Apr 2015 13:08:06 GMT
From: prathan.ptr@...il.com
To: bugtraq@...urityfocus.com
Subject: Wolf CMS 0.8.2 Arbitrary File Upload Vulnerability

  ,--^----------,--------,-----,-------^--,
  | |||||||||   `--------'     |          O .. CWH Underground Hacking Team ..
  `+---------------------------^----------|
    `\_,-------, _________________________|
      / XXXXXX /`|     /
     / XXXXXX /  `\   /
    / XXXXXX /\______(
   / XXXXXX /        
  / XXXXXX /
 (________(          
  `------'
  
 Exploit Title   : Wolf CMS Arbitrary File Upload Exploit
 Date            : 16 April 2015
 Exploit Author  : CWH Underground
 Discovered By   : ZeQ3uL
 Site            : www.2600.in.th
 Vendor Homepage : https://www.wolfcms.org/
 Software Link   : https://bitbucket.org/wolfcms/wolf-cms-downloads/downloads/wolfcms-0.8.2.zip
 Version         : 0.8.2
   
####################
SOFTWARE DESCRIPTION
####################
   
Wolf CMS is a content management system and is Free Software published under the GNU General Public License v3. 
Wolf CMS is written in the PHP programming language. Wolf CMS is a fork of Frog CMS.
   
#######################################
VULNERABILITY: Arbitrary File Upload
#######################################
    
This exploit a file upload vulnerability found in Wolf CMS 0.8.2, and possibly prior. Attackers can abuse the
upload feature in order to upload a malicious PHP file into the application with authenticated user, which results in arbitrary remote code execution.

The vulnerability was found on File Manager Function (Enabled by default), which provides interfaces to manage files from the administration. 

In this simple example, there are no restrictions made regarding the type of files allowed for uploading. 
Therefore, an attacker can upload a PHP shell file with malicious code that can lead to full control of a victim server. 
Additionally, the uploaded file can be moved to the root directory, meaning that the attacker can access it through the Internet.
   
/wolf/plugins/file_manager/FileManagerController.php (LINE: 302-339)
-----------------------------------------------------------------------------
// Clean filenames
        $filename = preg_replace('/ /', '_', $_FILES['upload_file']['name']);
        $filename = preg_replace('/[^a-z0-9_\-\.]/i', '', $filename);

        if (isset($_FILES)) {
            $file = $this->_upload_file($filename, FILES_DIR . '/' . $path . '/', $_FILES['upload_file']['tmp_name'], $overwrite);

            if ($file === false)
                Flash::set('error', __('File has not been uploaded!'));
        }
-----------------------------------------------------------------------------

#####################
Disclosure Timeline
#####################

[04/04/2015]  Issue reported to Developer Team
[08/04/2015]  Discussed for fixing the issue

################################################################################################################
# Greetz      : ZeQ3uL, JabAv0C, p3lo, Sh0ck, BAD $ectors, Snapter, Conan, Win7dos, Gdiupo, GnuKDE, JK, Retool2
################################################################################################################

Powered by blists - more mailing lists