Search...

efront-upload.txt

2008-09-30T00:00:00

ID PACKETSTORM:70494
Type packetstorm
Reporter Pepelux
Modified 2008-09-30T00:00:00

Description

                                        
                                            `-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-  
eFront &lt;= 3.5.1 / build 2710: Remote File Inclusion Vulnerability  
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-  
  
$ Program: eFront  
$ File affected: studentpage.php / professorpage  
$ Version: 3.5.1 / build 2710  
$ Download: http://www.efrontlearning.net  
  
  
Found by Pepelux &lt;pepelux[at]enye-sec.org&gt;  
eNYe-Sec - www.enye-sec.org  
  
-- Description (by the author's page) --  
eFront is an easy to use, visually attractive, SCORM compatible, eLearning  
and Human Capital Development system. It is suitable for both company and  
educational usage. The core eFront system is offered as open-source software  
so you can download and start using it immediately. Check the functionality  
matrix for different eFront editions.  
  
  
-- Bug --  
If you are a student or a teacher you can upload an avatar. It not check the  
extension (JPG, PNG, GIF, ...) and you can upload any file (ex: PHP)  
  
Website structure:  
  
site.com /  
/upload/ -&gt; Files saved  
/admin/  
/avatars  
/student/  
/avatars  
/professor/  
/avatars  
/www -&gt; Website  
/backups  
/libraries  
  
  
-- Exploit --  
Students can upload a shell.php as the avatar ant next execute as:  
http://site/upload/student/avatars/shell.php  
  
Teachers can upload a shell.php as the avatar ant next execute as:  
http://site/upload/professor/avatars/shell.php  
  
  
Note: in all sites I've tested upload dorectory is accesible by web  
  
`

JSON Vulners Source

Initial Source

{"id": "PACKETSTORM:70494", "type": "packetstorm", "bulletinFamily": "exploit", "title": "efront-upload.txt", "description": "", "published": "2008-09-30T00:00:00", "modified": "2008-09-30T00:00:00", "cvss": {"vector": "NONE", "score": 0.0}, "href": "https://packetstormsecurity.com/files/70494/efront-upload.txt.html", "reporter": "Pepelux", "references": [], "cvelist": [], "lastseen": "2016-11-03T10:26:53", "viewCount": 10, "enchantments": {"score": {"value": -0.3, "vector": "NONE"}, "dependencies": {}, "backreferences": {}, "exploitation": null, "vulnersScore": -0.3}, "sourceHref": "https://packetstormsecurity.com/files/download/70494/efront-upload.txt", "sourceData": "`-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- \neFront <= 3.5.1 / build 2710: Remote File Inclusion Vulnerability \n-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- \n \n$ Program: eFront \n$ File affected: studentpage.php / professorpage \n$ Version: 3.5.1 / build 2710 \n$ Download: http://www.efrontlearning.net \n \n \nFound by Pepelux <pepelux[at]enye-sec.org> \neNYe-Sec - www.enye-sec.org \n \n-- Description (by the author's page) -- \neFront is an easy to use, visually attractive, SCORM compatible, eLearning \nand Human Capital Development system. It is suitable for both company and \neducational usage. The core eFront system is offered as open-source software \nso you can download and start using it immediately. Check the functionality \nmatrix for different eFront editions. \n \n \n-- Bug -- \nIf you are a student or a teacher you can upload an avatar. It not check the \nextension (JPG, PNG, GIF, ...) and you can upload any file (ex: PHP) \n \nWebsite structure: \n \nsite.com / \n/upload/ -> Files saved \n/admin/ \n/avatars \n/student/ \n/avatars \n/professor/ \n/avatars \n/www -> Website \n/backups \n/libraries \n \n \n-- Exploit -- \nStudents can upload a shell.php as the avatar ant next execute as: \nhttp://site/upload/student/avatars/shell.php \n \nTeachers can upload a shell.php as the avatar ant next execute as: \nhttp://site/upload/professor/avatars/shell.php \n \n \nNote: in all sites I've tested upload dorectory is accesible by web \n \n`\n", "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1647759314}}