what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

JagoanStore CMS Shell Upload

JagoanStore CMS Shell Upload
Posted Aug 22, 2011
Authored by eidelweiss

JagoanStore CMS suffers from a remote shell upload vulnerability.

tags | exploit, remote, shell
SHA-256 | dee14af7198f227bb48818d26dfa0afe5c88a8011ab28e8f5ab307bb5b35a4a5

JagoanStore CMS Shell Upload

Change Mirror Download
===================================================================
JagoanStore CMS Arbitary file upload vulnerability
===================================================================

Software: JagoanStore CMS
Vendor: www.jagoanstore.com
Price: Rp.900.000 (IDR)
Vuln Type: Arbitary file upload

Author: eidelweiss
contact: eidelweiss[at]windowslive[dot]com
Home: www.eidelweiss-advisories.blogspot.com
Gratz: Devilzc0de, YOGYACARDERLINK, and YOU !!!

References: http://eidelweiss-advisories.blogspot.com/2011/08/jagoanstore-cms-arbitary-file-upload.html


===================================================================

description:
JagoanStore, adalah CMS untuk membuat toko online.
JagoanStore dibuat tidak hanya berdasar pada hal teknis pembuatan website, dalam pembuatannya juga di desain untuk membuat web toko online Anda mampu menjadi senjata ampuh bagi bisnis Anda.
Kini Anda tinggal fokus pada peningkatan penjualan online Anda.

----------------------------------
Vulnerability details:

JagoanStore CMS is using the old version of FCKeditor for upload file to all user.And all know the old version of FCKeditor have a vulnerability and attacker might be able to upload arbitrary files containing malicious PHP code due to multiple file extensions isn't properly checked.
Here is the code:

/manage/fckeditor/editor/filemanager/connectors/php/config.php

global $Config ;

// SECURITY: You must explicitly enable this "connector". (Set it to "true").
// WARNING: don't just set "$Config['Enabled'] = true ;", you must be sure that only
// authenticated users can access this file or use some kind of session checking.
$Config['Enabled'] = true ; // <= 1

---

// Path to user files relative to the document root.
$Config['UserFilesPath'] = '/userfiles/' ; // <= here is the path of attacker file or shell backdoor will be placed.

// following setting enabled.
$Config['ForceSingleExtension'] = true ; // <= 2

$Config['AllowedExtensions']['File'] = array('7z', 'aiff', 'asf', 'avi', 'bmp', 'csv', 'doc', 'fla', 'flv', 'gif', 'gz', 'gzip', 'jpeg', 'jpg', 'mid', 'mov', 'mp3', 'mp4', 'mpc', 'mpeg', 'mpg', 'ods', 'odt', 'pdf', 'png', 'ppt', 'pxd', 'qt', 'ram', 'rar', 'rm', 'rmi', 'rmvb', 'rtf', 'sdc', 'sitd', 'swf', 'sxc', 'sxw', 'tar', 'tgz', 'tif', 'tiff', 'txt', 'vsd', 'wav', 'wma', 'wmv', 'xls', 'xml', 'zip') ; // <= 3

$Config['AllowedExtensions']['Image'] = array('bmp','gif','jpeg','jpg','png') ;
---

with a default configuration of this script, an attacker might be able to upload arbitrary files containing malicious PHP code due to multiple file extensions isn't properly checked


----------------------------------

exploit & p0c

[!] http://host/manage/fckeditor/editor/filemanager/connectors/uploadtest.html // upload your file here
or
[!] http://host/path_to_CMSBalitbang/manage/fckeditor/editor/filemanager/connectors/uploadtest.html

your shell or file will be placed here

[!] http://localhost/userfiles/ <= here

Nb: You can use trick from pentesters.ir about FCKeditor :D

Advisories Time:

08-14-2011 (GMT+7) Bug Founded
08-15-2011 (GMT+7) Bug Reported to Vendor
08-21-2011 (GMT+7) Vendor respon and do patching (contact via online chat) :D
08-22-2011 (GMT+7) Advisories Publish

====================================================================

Nothing Impossible In This World Even Nobody`s Perfect

===================================================================

==========================| -=[ E0F ]=- |==========================
Login or Register to add favorites

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    17 Files
  • 3
    Sep 3rd
    38 Files
  • 4
    Sep 4th
    52 Files
  • 5
    Sep 5th
    23 Files
  • 6
    Sep 6th
    27 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    16 Files
  • 10
    Sep 10th
    38 Files
  • 11
    Sep 11th
    21 Files
  • 12
    Sep 12th
    40 Files
  • 13
    Sep 13th
    18 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    0 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close