Orbis CMS 1.0.2 Arbitrary File Upload Vulnerability

2010-12-01T00:00:00
ID 1337DAY-ID-15000
Type zdt
Reporter Mark Stanislav
Modified 2010-12-01T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            ===================================================
Orbis CMS 1.0.2 Arbitrary File Upload Vulnerability
===================================================


'Orbis CMS' Arbitrary Script Execution Vulnerability (CVE-2010-4313)
Mark Stanislav - [email protected]
 
 
I. DESCRIPTION
---------------------------------------
A vulnerability exists in the 'Orbis CMS' fileman_file_upload.php script that allows any authenticated user to upload a PHP script and then run it without restriction.
 
  
II. TESTED VERSION
---------------------------------------
1.0.2
 
 
III. PoC EXPLOIT
---------------------------------------
1) Login as any CMS user (administrator or non-administrator)
2) Upload your desired PHP script (e.g. cmd.php)
3) Navigate to http://www.example.com/orbis/uploads/cmd.php?cmd=cat%20/etc/passwd
 
 
IV. NOTES
---------------------------------------
* This software is no longer developed according to the product page; it is still available for download though.
* Various other vulnerabilities exist in this code base (at least for previous versions); it's advisable not to use this software as patches are not coming.
* A vendor notice was not done for the aforementioned reasons.
 
 
V. SOLUTION
---------------------------------------
Overhaul the upload verification portion of fileman_file_upload.php completely.



#  0day.today [2018-01-01]  #