Zenphoto CMS 1.5.7 Shell Upload

🗓️ 26 Feb 2021 00:00:00Reported by Abdulaziz AlmisferType

packetstorm🔗 packetstormsecurity.com👁 376 Views

Authenticated arbitrary file upload to RCE in Zenphoto CMS 1.5.

Reporter	Title	Published	Views	Family All 10
0day.today	Zenphoto CMS 1.5.7 Shell Upload Vulnerability	26 Feb 202100:00	–	zdt
ATTACKERKB	CVE-2020-36079	26 Feb 202123:15	–	attackerkb
CNNVD	Zenphoto 代码问题漏洞	26 Feb 202100:00	–	cnnvd
CNVD	Zenphoto Arbitrary File Upload Vulnerability	1 Mar 202100:00	–	cnvd
CVE	CVE-2020-36079	26 Feb 202122:49	–	cve
Cvelist	CVE-2020-36079	26 Feb 202122:49	–	cvelist
NVD	CVE-2020-36079	26 Feb 202123:15	–	nvd
Prion	Design/Logic Flaw	26 Feb 202123:15	–	prion
Positive Technologies	PT-2021-11913 · Zenphoto · Zenphoto	26 Feb 202100:00	–	ptsecurity
RedhatCVE	CVE-2020-36079	22 May 202517:37	–	redhatcve

` Authenticated arbitrary file upload to RCE  
  
Product : Zenphoto   
Affected : Zenphoto CMS - <= 1.5.7  
Attack Type : Remote  
  
login then go to plugins then go to uploader and press on the check box elFinder  
then press apply , after that you go to upload then Files(elFinder) drag and drop  
any malicious php code after that go to /uploaded/ and you're php code  
  
--------------------------------------------------------------------------------------------  
Zenphoto through 1.5.7 is affected by authenticated arbitrary file  
upload, leading to remote code execution. The attacker must navigate to  
the uploader plugin, check the elFinder box, and then drag and drop  
files into the Files(elFinder) portion of the UI. This can, for  
example, place a .php file in the server's uploaded/ directory.  
  
[Reference]  
https://www.linkedin.com/in/abdulaziz-almisfer-22a7861ab/   
https://twitter.com/3almisfer  
https://github.com/azizalshammari/  
  
------------------------------------------  
[Discoverer]  
Abdulaziz Almisfer  
  
CVE-2020-36079  
`

26 Feb 2021 00:00Current

7.1High risk

Vulners AI Score7.1

EPSS0.15574