[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : odlican.net cms v.1.5 Remote File Upload Vulnerability
# Published : 2010-02-06
# Author : Teo Manojlovic
# Previous Title : Arab Network Tech. (ANT) CMS SQL Injection
# Next Title : ShopEx <= Single V4.5.1 Multiple Vulnerabilities
#odlican.net cms v.1.5 remote file upload vulnerability
#Author: Teo Manojlovic
#you can download following cms here
#http://cms.odlican.net/files/cmsv1-5.zip
#Info:odlican.net cms v.1.5 is simple opensource cms made by croatian web designers
and it has serious flaw.
#dork:Powered by odlican.net cms v.1.5
#what is vulnerable?
this is vulnerable part of code from upload.php and it will upload any file to /cms/files/ folder(including dangerous php scripts)
if ( isset($_POST['pokreni'])){
$target_path = "files/";
$target_path = $target_path . basename( $_FILES['uploadedfile']['name']);
if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {echo "Datoteka ". basename( $_FILES['uploadedfile']['name']). " je snimljena na server";} else{ echo "Do?lo je do gre?ke poku?ajte ponovno!";}
}
#there should be code that will filter some extensions like .php etc.....
#fixajte si taj kod. dodajte da skripta provjerava ekstenzije i velicinu filea
#pozz