lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAPYM6VwJiGbNGjDb0bu9PBqEUsiGQc99u5pNnquLOqK8ZCKYeg@mail.gmail.com> Date: Fri, 26 Aug 2011 23:58:25 +0800 From: YGN Ethical Hacker Group <lists@...g.net> To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com, bugs@...uritytracker.com, vuln@...unia.com, secalert@...urityreason.com, news@...uriteam.com, vuln@...urity.nnov.ru, moderators@...db.org, submissions@...ketstormsecurity.org Subject: Jcow CMS 4.x:4.2 <= , 5.x:5.2 <= | Arbitrary Code Execution Jcow CMS 4.x:4.2 <= , 5.x:5.2 <= | Arbitrary Code Execution 1. OVERVIEW Jcow CMS versions (4.x: 4.2 and lower, 5.x: 5.2 and lower) are vulnerable to Arbitrary Code Execution. 2. BACKGROUND Jcow is a flexible Social Networking software written in PHP. It can help you to build a social network for your interests and passions, a member community for your existing website and a social networking site like facebook/myspace/twitter. 3. VULNERABILITY DESCRIPTION The parameter "attachment" is not properly sanitized upon submission to /index.php, which allows attacker to execute arbitrary PHP code of his own. 4. VERSIONS AFFECTED Free version: 4.x: 4.2 and lower Commercial version: 5.x: 5.2 and lower 5. PROOF-OF-CONCEPT/EXPLOIT http://dev.metasploit.com/redmine/attachments/1660/jcow_eval.rb jcow 4.2.1: file: /includes/libs/ss.inc.php line: 167 $app = $_POST['attachment']; if (strlen($app) && $app != 'status') { include_once('modules/'.$app.'/'.$app.'.php'); $c_run = $app.'::ajax_post();'; eval($c_run); exit; } jcow 5.2.0: file: /includes/libs/ss.inc.php line: 45 $Vd2a57dc1 = $_POST['attachment']; if (strlen($Vd2a57dc1) && $Vd2a57dc1 != 'status') { include_once('modules/'.$Vd2a57dc1.'/'.$Vd2a57dc1.'.php'); $Ve8200cee = $Vd2a57dc1.'::ajax_post();'; eval($Ve8200cee); exit; } 6. SOLUTION Free version users can upgrade to 4.3.1 or higher. Commercial users can upgrade to 5.3 or higher. 7. VENDOR Jcow CMS Development Team http://www.jcow.net 8. CREDIT This vulnerability was discovered by Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 9. DISCLOSURE TIME-LINE 2010-06-03: notified vendor 2010-06-03: vendor replied fix would be available within 48hrs 2011-08-24: vendor released fixed versions for 4.x and 5.x, 4.3.1 for free release 5.3 for commercial release 2011-08-26: vulnerability disclosed 10. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/[jcow_4.2,5.2]_arbitrary_code_execution Jcow CMS: http://sourceforge.net/projects/jcow/files/jcow4/jcow.4.2.1.zip/download #yehg [2011-08-26] --------------------------------- Best regards, YGN Ethical Hacker Group Yangon, Myanmar http://yehg.net Our Lab | http://yehg.net/lab Our Directory | http://yehg.net/hwd _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists