| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 29 Nov 2010 23:49:21 -0500 From: Mark Stanislav <mark.stanislav@...il.com> To: full-disclosure@...ts.grok.org.uk Cc: bugtraq@...urityfocus.com Subject: 'Orbis CMS' Arbitrary Script Execution Vulnerability (CVE-2010-4313) 'Orbis CMS' Arbitrary Script Execution Vulnerability (CVE-2010-4313) Mark Stanislav - mark.stanislav@...il.com I. DESCRIPTION --------------------------------------- A vulnerability exists in the 'Orbis CMS' fileman_file_upload.php script that allows any authenticated user to upload a PHP script and then run it without restriction. II. TESTED VERSION --------------------------------------- 1.0.2 III. PoC EXPLOIT --------------------------------------- 1) Login as any CMS user (administrator or non-administrator) 2) Upload your desired PHP script (e.g. cmd.php) 3) Navigate to http://www.example.com/orbis/uploads/cmd.php?cmd=cat%20/etc/passwd IV. NOTES --------------------------------------- * This software is no longer developed according to the product page; it is still available for download though. * Various other vulnerabilities exist in this code base (at least for previous versions); it's advisable not to use this software as patches are not coming. * A vendor notice was not done for the aforementioned reasons. V. SOLUTION --------------------------------------- Overhaul the upload verification portion of fileman_file_upload.php completely. VI. REFERENCES --------------------------------------- http://www.novo-ws.com/orbis-cms/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4313 http://www.uncompiled.com/2010/11/orbis-cms-arbitrary-script-execution-vulnerability-cve-2010-4313/ VII. TIMELINE --------------------------------------- 11/30/2010: Public disclosure _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists