Aerosol Posted January 6, 2015 Report Posted January 6, 2015 AdaptCMS 3.0.3 Remote Command Execution#!/usr/bin/env python### AdaptCMS 3.0.3 Remote Command Execution Exploit### Vendor: Insane Visions# Product web page: http://www.adaptcms.com# Affected version: 3.0.3## Summary: AdaptCMS is a Content Management System trying# to be both simple and easy to use, as well as very agile# and extendable. Not only so we can easily create Plugins # or additions, but so other developers can get involved.# Using CakePHP we are able to achieve this with a built-in# plugin system and MVC setup, allowing us to focus on the# details and end-users to focus on building their website# to look and feel great.## Desc: AdaptCMS suffers from an authenticated arbitrary# command execution vulnerability. The issue is caused due# to the improper verification of uploaded files. This can# be exploited to execute arbitrary PHP code by creating# or uploading a malicious PHP script file that will be# stored in '\app\webroot\uploads' directory.## Tested on: Apache 2.4.10 (Win32)# PHP 5.6.3# MySQL 5.6.21### Vulnerability discovered by Gjoko 'LiquidWorm' Krstic# @zeroscienceAdvisory ID: ZSL-2015-5219Advisory URL: [url]http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5219.php[/url]29.12.2014--GET /adaptcms/admin/adaptbb/webroot/foo HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCookie: adaptcms=uu16dmimdemvcq54h3nevq6oa0Connection: keep-aliveReferer: [url]http://zeroscience.mk[/url]Source Quote
