[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Wolf CMS 0.8.2 Arbitrary File Upload Vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Wolf CMS 0.8.2 Arbitrary File Upload Vulnerability
From: prathan.ptr@xxxxxxxxx
Date: Thu, 16 Apr 2015 13:08:06 GMT

  ,--^----------,--------,-----,-------^--,
  | |||||||||   `--------'     |          O .. CWH Underground Hacking Team ..
  `+---------------------------^----------|
    `\_,-------, _________________________|
      / XXXXXX /`|     /
     / XXXXXX /  `\   /
    / XXXXXX /\______(
   / XXXXXX /        
  / XXXXXX /
 (________(          
  `------'
  
 Exploit Title   : Wolf CMS Arbitrary File Upload Exploit
 Date            : 16 April 2015
 Exploit Author  : CWH Underground
 Discovered By   : ZeQ3uL
 Site            : www.2600.in.th
 Vendor Homepage : https://www.wolfcms.org/
 Software Link   : 
https://bitbucket.org/wolfcms/wolf-cms-downloads/downloads/wolfcms-0.8.2.zip
 Version         : 0.8.2
   
####################
SOFTWARE DESCRIPTION
####################
   
Wolf CMS is a content management system and is Free Software published under 
the GNU General Public License v3. 
Wolf CMS is written in the PHP programming language. Wolf CMS is a fork of Frog 
CMS.
   
#######################################
VULNERABILITY: Arbitrary File Upload
#######################################
    
This exploit a file upload vulnerability found in Wolf CMS 0.8.2, and possibly 
prior. Attackers can abuse the
upload feature in order to upload a malicious PHP file into the application 
with authenticated user, which results in arbitrary remote code execution.

The vulnerability was found on File Manager Function (Enabled by default), 
which provides interfaces to manage files from the administration. 

In this simple example, there are no restrictions made regarding the type of 
files allowed for uploading. 
Therefore, an attacker can upload a PHP shell file with malicious code that can 
lead to full control of a victim server. 
Additionally, the uploaded file can be moved to the root directory, meaning 
that the attacker can access it through the Internet.
   
/wolf/plugins/file_manager/FileManagerController.php (LINE: 302-339)
-----------------------------------------------------------------------------
// Clean filenames
        $filename = preg_replace('/ /', '_', $_FILES['upload_file']['name']);
        $filename = preg_replace('/[^a-z0-9_\-\.]/i', '', $filename);

        if (isset($_FILES)) {
            $file = $this->_upload_file($filename, FILES_DIR . '/' . $path . 
'/', $_FILES['upload_file']['tmp_name'], $overwrite);

            if ($file === false)
                Flash::set('error', __('File has not been uploaded!'));
        }
-----------------------------------------------------------------------------

#####################
Disclosure Timeline
#####################

[04/04/2015] ? Issue reported to Developer Team
[08/04/2015] ? Discussed for fixing the issue

################################################################################################################
# Greetz      : ZeQ3uL, JabAv0C, p3lo, Sh0ck, BAD $ectors, Snapter, Conan, 
Win7dos, Gdiupo, GnuKDE, JK, Retool2
################################################################################################################

Prev by Date: [SECURITY] [DSA 3228-1] ppp security update
Next by Date: Lychee 2.7.1 remote code execution
Previous by thread: [SECURITY] [DSA 3228-1] ppp security update
Next by thread: Lychee 2.7.1 remote code execution
Index(es):
- Date
- Thread