0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
ObjectPlanet Opinio 7.13 Shell Upload Vulnerability
Author
Risk
[
Security Risk Critical
]0day-ID
Category
Date add
CVE
Platform
# Exploit Authors: Timothy Tan , Daniel Tan, Yu EnHui, Khor Yong Heng # CVE: CVE-2020-26806 # Exploit Title: ObjectPlanet Opinio version 7.13 allows unrestricted file upload # Vendor Homepage: https://www.objectplanet.com/opinio/ # Software Link: https://www.objectplanet.com/opinio/ # Exploit Authors: Timothy Tan , Daniel Tan, Yu EnHui, Khor Yong Heng # CVE: CVE-2020-26806 # Timeline - September 2020: Initial discovery - October 2020: Reported to ObjectPlanet - November 2020: Fix/patch provided by ObjectPlanet - July 2021: CVE-2020-26806 # 1. Introduction Opinio is a survey management solution by ObjectPlanet that allows surveys to be designed, published and managed. # 2. Vulnerability Details ObjectPlanet Opinio before version 7.13 is vulnerable to unrestricted file uploads # 3. Proof of Concept ### Unrestricted File Upload leading to RCE ### Step 1: URL: /opinio/admin/file.do Opinio allows an administrative user to edit local CSS files. This file editing function however does not validate if the HTTP POST parameters are tampered with. Post parameters to tamper with: - filePath - fileContent The base directory can be guessed via the information under Setup >> Edit System Settings , this page on Opinio shows the local directory of where Opinio was installed to. The file path can be tampered with for e.g. : /upload/css/common/../../../admin/shell.jsp The fileContent value was tampered with a JSP webshell for this PoC and a webshell was acheieved For our PoC, we could view the web.xml file using an XXE vulnerability CVE-2020-26564 and identify which JSP files were allowed be loaded and replaced the contents of that JSP file with the webshell code This vulnerability was confirmed by ObjectPlanet Opinio in their patch notes which can be found at : https://www.objectplanet.com/opinio/changelog.html ------------------------------------------------------- # 4. Remediation Apply the latest fix/patch from objectplanet. # 5. Credits Timothy Tan (https://sg.linkedin.com/in/timtjh) Khor Yong Heng (https://www.linkedin.com/in/khor-yong-heng-66108a120/) Yu EnHui (https://www.linkedin.com/in/enhui-yu-88691b15b/) Daniel Tan (https://www.linkedin.com/in/dantanjk/) # 0day.today [2024-11-15] #