Search Bare
GetSimpleCMS Version 3.2.1 Arbitrary File Upload / Cross Site Scripting Vulnerabilities
GetSimpleCMS Version 3.2.1 Arbitrary File Upload / Cross Site Scripting Vulnerabilities===================================================================================# Exploit Title: GetSimpleCMS Version 3.2.1 Arbitrary File Upload Vulnerability# Download link: http://code.google.com/p/get-simple-cms/# version: 3.2.1# Category: webapps# Tested on: ubuntu 10.04# Author: Bond Benz# Email: islambenzeghli@gmail.com# Website: www.outlaws.labxi.com===================================================================================Description: - GetSimpleCMS Version 3.2.1 suffers from arbitrary file upload vulnerability which allows an attacker to upload a HTML page. -
The main reason of this vulnerability is that the application uses a
blacklist technique to compare the file aganist mime types and
extensions. - If the mime type or the extension is in the blacklist array , the application won't upload it. Exploit: - For exploiting this vulnerability we will create a file with mutiple extensions for example "exploit.html.fr" -
The application will check the mime type and extension of the file
which is "fr" aganist the blacklist array mime type and extensions. - and ofcourse "fr" extension won't be in the blacklist array so the application will upload it successfully. - The uploaded file will be under the "data/uploads/" folder. Solution: - The application should use whitelisting technique which compare the file extensions and mime types aganist - acceptable mime types and extensions for more information google for "whitelisting vs blacklisting"Stored XSS Vulnerability:Page: edit.phpDesc: inject your javascript code in "Page Title" field.POC: test" onClick="alert(/HackedByBondBenz/)Page: edit.php Desc: click on page option then check "add this page to the menu" then inject your javascript code in "post-menu"" field.POC: <script>alert(/HackedByBondBenz/)</script>page: settings.php Desc: inject javascript event in "Custom Permalink Structure" field POC: test" onClick="alert(/HackedByBondBenz/)page: settings.php Desc: inject javascript event in "Display name" field POC: test" onClick="alert(/HackedByBondBenz/)Posted by Unknown at 12:30
Inscription à :
Publier les commentaires (Atom)
0 comments:
Enregistrer un commentaire