[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [Full-disclosure] 'Orbis CMS' Arbitrary Script Execution
From:       Mark Stanislav <mark.stanislav () gmail ! com>
Date:       2010-11-30 4:49:21
Message-ID: 0DE54704-60BB-4512-B0D3-43B7061E8786 () gmail ! com
[Download RAW message or body]

'Orbis CMS' Arbitrary Script Execution Vulnerability (CVE-2010-4313)
Mark Stanislav - mark.stanislav@gmail.com


I. DESCRIPTION
---------------------------------------
A vulnerability exists in the 'Orbis CMS' fileman_file_upload.php script that allows any \
authenticated user to upload a PHP script and then run it without restriction.

 
II. TESTED VERSION
---------------------------------------
1.0.2 


III. PoC EXPLOIT
---------------------------------------
1) Login as any CMS user (administrator or non-administrator)
2) Upload your desired PHP script (e.g. cmd.php)
3) Navigate to http://www.example.com/orbis/uploads/cmd.php?cmd=cat%20/etc/passwd


IV. NOTES 
---------------------------------------
* This software is no longer developed according to the product page; it is still available for \
                download though.
* Various other vulnerabilities exist in this code base (at least for previous versions); it's \
                advisable not to use this software as patches are not coming.
* A vendor notice was not done for the aforementioned reasons.


V. SOLUTION
---------------------------------------
Overhaul the upload verification portion of fileman_file_upload.php completely.


VI. REFERENCES
---------------------------------------
http://www.novo-ws.com/orbis-cms/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4313
http://www.uncompiled.com/2010/11/orbis-cms-arbitrary-script-execution-vulnerability-cve-2010-4313/



VII. TIMELINE
---------------------------------------
11/30/2010: Public disclosure
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic