Wolf CMS Arbitrary File Upload To Command Execution Exploit

# Exploit Title    : Wolf CMS 0.8.2  Arbitrary File Upload To Command
Execution
# Reported Date    : 05-May-2015
# Fixed Date       : 10-August-2015
# Exploit Author   : Narendra Bhati
# CVE ID           : CVE-2015-6567 , CVE-2015-6568
# Contact:
* Facebook         : https://facebook.com/narendradewsoft
*Twitter           : http://twitter.com/NarendraBhatiB
# Website          : http://websecgeeks.com
# Additional Links -
* https://github.com/wolfcms/wolfcms/releases/
* https://www.wolfcms.org/blog/2015/08/10/releasing-wolf-cms-0-8-3-1.html
 
#For POC -
http://websecgeeks.com/wolf-cms-arbitrary-file-upload-to-command-execution/
 
1. Description
 
Every registered users who have access of upload functionality can upload
an Arbitrary File Upload To perform Command Execution
 
Vulnerable URL
 
http://targetsite.com/wolfcms/?/admin/plugin/file_manager/browse/
 
Vulnerable Parameter
 
"filename"
 
 
2. Proof of Concept
 
A)Login as regular user ( who have access upload functionality )
 
B)Go to this page  -
http://targetsite.com/wolfcms/?/admin/plugin/file_manager/browse/
 
C)Select upload an file option to upload Arbitary File ( filename ex:
"hello.php" )
 
D)Now you can access the file by here -
http://targetsite.com/wolfcms/public/hello.php
 
 
3. Solution:
 
Update to version 0.8.3.1
http://www.wolfcms.org/download.html

#  0day.today [2018-04-04]  #