===================================================================
JagoanStore CMS Arbitary file upload vulnerability
===================================================================
Software: JagoanStore CMS
Vendor: www.jagoanstore.com
Price: Rp.900.000 (IDR)
Vuln Type: Arbitary file upload
Author: eidelweiss
contact: eidelweiss[at]windowslive[dot]com
Home: www.eidelweiss-advisories.blogspot.com
Gratz: Devilzc0de, YOGYACARDERLINK, and YOU !!!
===================================================================
description:
JagoanStore, adalah CMS untuk membuat toko online.
JagoanStore dibuat tidak hanya berdasar pada hal teknis pembuatan website, dalam pembuatannya juga di desain untuk membuat web toko online Anda mampu menjadi senjata ampuh bagi bisnis Anda.
Kini Anda tinggal fokus pada peningkatan penjualan online Anda.
----------------------------------
Vulnerability details:
JagoanStore CMS is using the old version of FCKeditor for upload file to all user.And all know the old version of FCKeditor have a vulnerability and attacker might be able to upload arbitrary files containing malicious PHP code due to multiple file extensions isn't properly checked.
Here is the code:
/manage/fckeditor/editor/filemanager/connectors/php/config.php
global $Config ;
// SECURITY: You must explicitly enable this "connector". (Set it to "true").
// WARNING: don't just set "$Config['Enabled'] = true ;", you must be sure that only
// authenticated users can access this file or use some kind of session checking.
$Config['Enabled'] = true ; // <= 1
---
// Path to user files relative to the document root.
$Config['UserFilesPath'] = '/userfiles/' ; // <= here is the path of attacker file or shell backdoor will be placed.
// following setting enabled.
$Config['ForceSingleExtension'] = true ; // <= 2
$Config['AllowedExtensions']['File'] = array('7z', 'aiff', 'asf', 'avi', 'bmp', 'csv', 'doc', 'fla', 'flv', 'gif', 'gz', 'gzip', 'jpeg', 'jpg', 'mid', 'mov', 'mp3', 'mp4', 'mpc', 'mpeg', 'mpg', 'ods', 'odt', 'pdf', 'png', 'ppt', 'pxd', 'qt', 'ram', 'rar', 'rm', 'rmi', 'rmvb', 'rtf', 'sdc', 'sitd', 'swf', 'sxc', 'sxw', 'tar', 'tgz', 'tif', 'tiff', 'txt', 'vsd', 'wav', 'wma', 'wmv', 'xls', 'xml', 'zip') ; // <= 3
$Config['AllowedExtensions']['Image'] = array('bmp','gif','jpeg','jpg','png') ;
---
with a default configuration of this script, an attacker might be able to upload arbitrary files containing malicious PHP code due to multiple file extensions isn't properly checked
----------------------------------
exploit & p0c
[!] http://host/manage/fckeditor/editor/filemanager/connectors/uploadtest.html // upload your file here
or
[!] http://host/path_to_CMSBalitbang/manage/fckeditor/editor/filemanager/connectors/uploadtest.html
your shell or file will be placed here
[!] http://localhost/userfiles/ <= here
Nb: You can use trick from pentesters.ir about FCKeditor :D
====================================================================
Nothing Impossible In This World Even Nobody`s Perfect
===================================================================
Time Line:
- Bug Reported to vendor
- Vendor Response and confirm the bug
- Vendor apply fix and patch
- Vendor awarded bounty (very kind vendor and this is first local vendor that really nice for me)
==========================| -=[ E0F ]=- |==========================
ReplyDeleteHey, Wow all the posts are very informative for the people who visit this site. Good work! We also have a Website. Please feel free to visit our site. Thank you for sharing. iot course fees in chennai | iot certification courses in chennai | iot training in chennai | iot training in chennai quora
Outstanding blog thanks for sharing such wonderful blog with us ,after long time came across such knowlegeble blog. keep sharing such informative blog with us.
ReplyDeleteCheck out : machine learning training in chennai
artificial intelligence and machine learning course in chennai
Big Data Hadoop Training in Chennai a
Hadoop Big Data Training
I really happy found this website eventually. Really informative and inoperative! Thanks for the post and effort! Please keep sharing more such article. I've really like your blog and inspire me in many ways,Cheap Web Hosting India
ReplyDeleteThe biggest question when it comes to selecting a web host has always been which one is better between free web hosting and cheap web domain hosting. The word FREE is always enticing and we click here undoubtedly but not to every body. If you are serious about making money with your website, it will be to your advantage to have your site independently hosted in a paid platform.
ReplyDeleteMmorpg
ReplyDeleteinstagram takipçi satın al
tiktok jeton hilesi
tiktok jeton hilesi
antalya saç ekimi
takipçi
İnstagram Takipçi Satın Al
MT2 PVP SERVERLER
instagram takipçi satın al
Great work with lots of knowledgeable information and thanks for sharing!!
ReplyDeleteAndroid Training in Pune
Android Training in Mumbai
Tül perde modelleri
ReplyDeleteNumara Onay
Türk Telekom Mobil Ödeme Bozdurma
Nft Nasil Alınır
ankara evden eve nakliyat
trafik sigortası
dedektör
WEB SİTE KURMA
Ask kitaplari
smm panel
ReplyDeletesmm panel
İS İLANLARİ BLOG
instagram takipçi satın al
hirdavatciburada.com
Www.beyazesyateknikservisi.com.tr
Servis
TİKTOK PARA HİLESİ İNDİR