Thursday 27 August 2015

Wolf CMS Arbitrary File Upload To Command Execution - CVE-2015-6567 ,CVE-2015-6568

Wolf CMS  Arbitrary File Upload To Command Execution


Full Technical Disclosure Of  Wolf CMS  Arbitrary File Upload To Command Execution



# Exploit Title          : Wolf CMS 0.8.2 Arbitrary File Upload To Command Execution
# Reported Date      : 05-May-2015
# Fixed Date             : 10-August-2015
# Exploit Author     : Narendra Bhati
# CVE ID                  : CVE-2015-6567 , CVE-2015-6568
# Additional Links -
* https://github.com/wolfcms/wolfcms/releases/
* https://www.wolfcms.org/blog/2015/08/10/releasing-wolf-cms-0-8-3-1.html
1. Description



Every registered users who have access of upload functionality can upload an Arbitrary File Upload To perform Command Execution

Vulnerable URL

http://127.0.0.1:89/wolfcms/?/admin/plugin/file_manager/browse//

Vulnerable Parameter

"filename"
2. Proof of Concept

A)Login as regular user ( who have access upload functionality )

B)Go to this page - http://targetsite.com/wolfcms/?/admin/plugin/file_manager/browse/

C)Select upload an file option to upload Arbitrary ( filename ex: "hello.php" )








D)Now you can access the uploaded file by here - http://targetsite.com/wolfcms/public/hello.php





3. Solution:

Update to version 0.8.3.1
http://www.wolfcms.org/download.html

==============================

3 comments:

  1. This comment has been removed by a blog administrator.

    ReplyDelete
  2. This comment has been removed by a blog administrator.

    ReplyDelete
  3. This comment has been removed by a blog administrator.

    ReplyDelete