[webapps / 0day] - Orbis CMS 1.0.2 Arbitrary File Upload Vul
Posted on 30 November 2010
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><meta http-equiv='Content-Language' content='en' /><title>Orbis CMS 1.0.2 Arbitrary File Upload Vulnerability | Inj3ct0r - exploit database : vulnerability : 0day : shellcode</title><meta name='description' content='Orbis CMS 1.0.2 Arbitrary File Upload Vulnerability by Mark Stanislav in webapps / 0day | Inj3ct0r 1337 - exploit database : vulnerability : 0day : shellcode' /><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon' /><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss' /><script type='text/javascript'>var _gaq = _gaq || [];_gaq.push(["_setAccount", "UA-12725838-1"]);_gaq.push(["_setDomainName", "none"]);_gaq.push(["_setAllowLinker", true]);_gaq.push(["_trackPageview"]);(function(){var ga = document.createElement("script"); ga.type = "text/javascript"; ga.async = true;ga.src = ("https:" == document.location.protocol ? "https://ssl" : "http://www") + ".google-analytics.com/ga.js";var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(ga, s);})();</script></head><body><pre>=================================================== Orbis CMS 1.0.2 Arbitrary File Upload Vulnerability =================================================== 'Orbis CMS' Arbitrary Script Execution Vulnerability (CVE-2010-4313) Mark Stanislav - mark.stanislav@gmail.com I. DESCRIPTION --------------------------------------- A vulnerability exists in the 'Orbis CMS' fileman_file_upload.php script that allows any authenticated user to upload a PHP script and then run it without restriction. II. TESTED VERSION --------------------------------------- 1.0.2 III. PoC EXPLOIT --------------------------------------- 1) Login as any CMS user (administrator or non-administrator) 2) Upload your desired PHP script (e.g. cmd.php) 3) Navigate to http://www.example.com/orbis/uploads/cmd.php?cmd=cat%20/etc/passwd IV. NOTES --------------------------------------- * This software is no longer developed according to the product page; it is still available for download though. * Various other vulnerabilities exist in this code base (at least for previous versions); it's advisable not to use this software as patches are not coming. * A vendor notice was not done for the aforementioned reasons. V. SOLUTION --------------------------------------- Overhaul the upload verification portion of fileman_file_upload.php completely. # <a href='http://1337db.com/'>1337db.com</a> [2010-11-30]</pre></body></html>
