JagoanStore CMS任意文件上传漏洞

===================================================================

    description:
JagoanStore, adalah CMS untuk membuat toko online.
JagoanStore dibuat tidak hanya berdasar pada hal teknis pembuatan website, dalam pembuatannya juga di desain untuk membuat web toko online Anda mampu menjadi senjata ampuh bagi bisnis Anda.
Kini Anda tinggal fokus pada peningkatan penjualan online Anda.

----------------------------------
    Vulnerability details:

JagoanStore CMS is using the old version of FCKeditor for upload file to all user.And all know the old version of FCKeditor have a vulnerability and attacker might be able to upload arbitrary files containing malicious PHP code due to multiple file extensions isn't properly checked.
Here is the code:

    /manage/fckeditor/editor/filemanager/connectors/php/config.php

global $Config ;

// SECURITY: You must explicitly enable this "connector". (Set it to "true").
// WARNING: don't just set "$Config['Enabled'] = true ;", you must be sure that only
//      authenticated users can access this file or use some kind of session checking.
$Config['Enabled'] = true ; // <= 1

---

// Path to user files relative to the document root.
$Config['UserFilesPath'] = '/userfiles/' ;  // <= here is the path of attacker file or shell backdoor will be placed.

// following setting enabled.
$Config['ForceSingleExtension'] = true ;    // <= 2

$Config['AllowedExtensions']['File']    = array('7z', 'aiff', 'asf', 'avi', 'bmp', 'csv', 'doc', 'fla', 'flv', 'gif', 'gz', 'gzip', 'jpeg', 'jpg', 'mid', 'mov', 'mp3', 'mp4', 'mpc', 'mpeg', 'mpg', 'ods', 'odt', 'pdf', 'png', 'ppt', 'pxd', 'qt', 'ram', 'rar', 'rm', 'rmi', 'rmvb', 'rtf', 'sdc', 'sitd', 'swf', 'sxc', 'sxw', 'tar', 'tgz', 'tif', 'tiff', 'txt', 'vsd', 'wav', 'wma', 'wmv', 'xls', 'xml', 'zip') ;   // <= 3

$Config['AllowedExtensions']['Image']	= array('bmp','gif','jpeg','jpg','png') ; 
---

with a default configuration of this script, an attacker might be able to upload arbitrary files containing malicious PHP code due to multiple file extensions isn't properly checked

----------------------------------

    exploit & p0c

[!] http://host/manage/fckeditor/editor/filemanager/connectors/uploadtest.html    // upload your file here
    or
[!] http://host/path_to_CMSBalitbang/manage/fckeditor/editor/filemanager/connectors/uploadtest.html

    your shell or file will be placed here

[!] http://localhost/userfiles/ <= here

Nb: You can use trick from pentesters.ir about FCKeditor :D  

Advisories Time:

08-14-2011 (GMT+7) Bug Founded
08-15-2011 (GMT+7) Bug Reported to Vendor
08-21-2011 (GMT+7) Vendor respon and do patching (contact via online chat) :D
08-22-2011 (GMT+7) Advisories Publish

====================================================================

    Nothing Impossible In This World Even Nobody`s Perfect

===================================================================

==========================| -=[ E0F ]=- |==========================

本文固定链接: https://www.unhonker.com/technical/54.html | 90' s Blog|关注网络信息安全

该日志由 unhonker 于2011年08月24日发表在 技术文章 分类下, 你可以发表评论,并在保留原文地址及作者的情况下引用到你的网站或博客。
原创文章转载请注明: JagoanStore CMS任意文件上传漏洞 | 90' s Blog|关注网络信息安全

JagoanStore CMS任意文件上传漏洞:等您坐沙发呢!

发表评论

您必须 [ 登录 ] 才能发表留言!