[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [FD] [KIS-2024-03] Invision Community <= 4.7.16 (toolbar.php) Remote Code Execution Vulnerability
From:       Egidio Romano <n0b0d13s () gmail ! com>
Date:       2024-04-05 18:37:59
Message-ID: CAJeQoQekHP16yx9d=HuFufh4vui_ugt3AnXCqvQakv_BuOFKrA () mail ! gmail ! com
[Download RAW message or body]

------------------------------------------------------------------------------
Invision Community <= 4.7.16 (toolbar.php) Remote Code Execution Vulnerability
------------------------------------------------------------------------------


[-] Software Link:

https://invisioncommunity.com


[-] Affected Versions:

Version 4.7.16 and prior versions.


[-] Vulnerability Description:

The vulnerability is located in the
/applications/core/modules/admin/editor/toolbar.php script.
Specifically, into the
IPS\core\modules\admin\editor\_toolbar::addPlugin() method, which will
handle
the upload of a ZIP file, trying to extract its content into the
/applications/core/interface/ckeditor/ckeditor/plugins/ directory; if
the ZIP archive does not include
a plugin.js file, then the extracted ZIP content will be recursively
deleted from the file system,
otherwise it will stay there. This can be exploited to execute
arbitrary PHP code by uploading a
ZIP archive containing a plugin.js file (which can also be empty)
along with a PHP file. Successful
exploitation of this vulnerability requires an Administrator account
having the "toolbar_manage" permission.


[-] Proof of Concept:

https://karmainsecurity.com/pocs/CVE-2024-30162.php


[-] Solution:

No official solution is currently available.


[-] Disclosure Timeline:

[08/01/2024] - Vulnerability details sent to SSD Secure Disclosure
[12/03/2024] - Version 4.7.16 released, but the issue is still not fixed
[20/03/2024] - CVE identifier requested
[24/03/2024] - CVE identifier assigned
[05/04/2024] - Coordinated public disclosure


[-] CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2024-30162 to this vulnerability.


[-] Credits:

Vulnerability discovered by Egidio Romano.


[-] Other References:

https://ssd-disclosure.com/ssd-advisory-ip-board-nexus-rce-and-blind-sqli/


[-] Original Advisory:

http://karmainsecurity.com/KIS-2024-03
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic