[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

Achievo 1.4.2 Arbitrary File Upload

Author
Nahuel Grisolia
Risk
[
Security Risk Unsored
]
0day-ID
0day-ID-10081
Category
web applications
Date add
04-12-2009
Platform
unsorted
===================================
Achievo 1.4.2 Arbitrary File Upload
===================================

Affected Applications: Confirmed in Achievo 1.4.2. Other versions may also be affected.
 
Severity: Medium – CVSS: 6.8 (AV:L/AC:L/Au:S/C:C/I:C/A:C)
 
Vendor Status: New release available (Achievo 1.4.3)
 
Vulnerability Description:
 
The vulnerability is caused due to an improper check in “Document Types” section under Setup menu,
allowing the upload of files with arbitrary extensions to a folder inside the Webroot. This can be
exploited to e.g. execute arbitrary PHP code by uploading a specially crafted PHP script containing
some kind of Web Shell.
Proof of Concept:
Select a file with any extension (including PHP) and upload it using the form. The file will be available
in:
 
http://server/modules/docmanager/doctypetemplates/myuploadedfile
 
For example, we can upload “cmd.php” in our instalation in localhost and execute it entering:
 
 
http://server/achievo-1.4.2/modules/docmanager/doctypetemplates/cmd.php
 
 
Impact:
 
Direct execution of arbitrary PHP code in the Web Server.
 
Solution:
 
Update the document manager and add a new config (docmanager_allowedfiletypes) for it in
/configs/docmanager.php.inc. With this config you can tell the docmanager what type of files a user can
upload.
 
Vendor Response:
2009-12-03 – Vulnerability was identified
2009-12-03 – Vendor contacted
2009-12-03 – Vendor confirmed vulnerability
2009-12-03 – Vendor released fixed version
2009-12-04 – Vulnerability published



#  0day.today [2024-12-25]  #