Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormEgiXPACKETSTORM:129777
HistoryDec 31, 2014 - 12:00 a.m.

Osclass 3.4.2 Shell Upload

2014-12-3100:00:00
EgiX
packetstormsecurity.com
56

0.012 Low

EPSS

Percentile

83.7%

JSON
`---------------------------------------------------------------------  
Osclass <= 3.4.2 (contact.php) Unrestricted File Upload Vulnerability  
---------------------------------------------------------------------  
  
  
[-] Software Link:  
  
http://osclass.org/   
  
  
[-] Affected Versions:  
  
Version 3.4.2 and probably prior versions.  
  
  
[-] Vulnerability Description:  
  
The vulnerable code is located in the /oc-includes/osclass/controller/contact.php script:  
  
97. if( osc_contact_attachment() ) {  
98. $attachment = Params::getFiles('attachment');  
99. if(isset($attachment['tmp_name'])) {  
100. $resourceName = $attachment['name'];  
101. $tmpName = $attachment['tmp_name'];  
102. $resourceType = $attachment['type'];  
103. $path = osc_uploads_path() . time() . '_' . $resourceName;  
104. if( !is_writable(osc_uploads_path()) ) {  
105. osc_add_flash_error_message( _m('There have been some errors ...  
106. $this->redirectTo( osc_contact_url() );  
107. }  
108.   
109. if( !move_uploaded_file($tmpName, $path) ) {  
110. unset($path);  
111. }  
112. }  
113. }  
  
The vulnerability exists because of the "CWebContact::doModel()" method not properly verifying the  
extension of uploaded files. This could be exploited by unauthenticated attackers to upload and  
execute arbitrary PHP code. Successful exploitation of this vulnerability requires the attachment  
option for the contact page to be enabled (disabled by default).  
  
  
[-] Solution:  
  
Update to version 3.4.3 or later.  
  
  
[-] Disclosure Timeline:  
  
[30/09/2014] - Vendor notified  
[30/09/2014] - Vendor response  
[09/10/2014] - Version 3.4.3 released: http://blog.osclass.org/2014/10/09/osclass-3-4-3  
[09/10/2014] - CVE number requested  
[11/10/2014] - CVE number assigned  
[31/12/2014] - Public disclosure  
  
  
[-] CVE Reference:  
  
The Common Vulnerabilities and Exposures project (cve.mitre.org)  
has assigned the name CVE-2014-8085 to this vulnerability.  
  
  
[-] Credits:  
  
Vulnerability discovered by Egidio Romano.  
  
  
[-] Original Advisory:  
  
http://karmainsecurity.com/KIS-2014-16  
  
  
`

Related

cve 1
cvelist 1
zdt 1
securityvulns 2
prion 1
cve
cve
CVE-2014-8085
2015-01-05 20:59:00
cvelist
cvelist
CVE-2014-8085
2015-01-05 20:00:00
zdt
zdt
Osclass 3.4.2 Shell Upload Vulnerability
2015-01-01 00:00:00
securityvulns
securityvulns
[KIS-2014-16] Osclass &lt;= 3.4.2 &#40;contact.php&#41; Unrestricted File Upload Vulnerability
2015-01-02 00:00:00
Web applications security vulnerabilities summary &#40;PHP, ASP, JSP, CGI, Perl&#41;
2015-01-02 00:00:00
prion
prion
Unrestricted file upload
2015-01-05 20:59:00

0.012 Low

EPSS

Percentile

83.7%

JSON
Related for PACKETSTORM:129777
cve1cvelist1zdt1securityvulns2prion1