what you don't know can hurt you

NibbleBlog 4.0.3 Shell Upload

NibbleBlog 4.0.3 Shell Upload
Posted Sep 1, 2015
Authored by Tim Coen | Site curesec.com

NibbleBlog version 4.0.3 suffers from a shell upload vulnerability.

tags | exploit, shell
MD5 | e9b20bd2cae166ab18bb5d06554fb9e8

NibbleBlog 4.0.3 Shell Upload

Change Mirror Download
NibbleBlog 4.0.3: Code Execution
Security Advisory – Curesec Research Team

1. Introduction

Affected Product: NibbleBlog 4.0.3
Fixed in: not fixed
Fixed Version Link: n/a
Vendor Contact: Website: http://www.nibbleblog.com/
Vulnerability Type: Code Execution
Remote Exploitable: Yes
Reported to vendor: 07/21/2015
Disclosed to public: 09/01/2015
Release mode: Full Disclosure
CVE: n/a
Credits Tim Coen of Curesec GmbH

2. Vulnerability Description

When uploading image files via the "My image" plugin - which is
delivered with NibbleBlog by default - , NibbleBlog 4.0.3 keeps the
original extension of uploaded files. This extension or the actual file
type are not checked, thus it is possible to upload PHP files and gain
code execution.

Please note that admin credentials are required.

3. Proof of Concept

Obtain Admin credentials (for example via Phishing via XSS which can
be gained via CSRF, see advisory about CSRF in NibbleBlog 4.0.3)
Activate My image plugin by visiting
http://localhost/nibbleblog/admin.php?controller=plugins&action=install&plugin=my_image
Upload PHP shell, ignore warnings
Visit
http://localhost/nibbleblog/content/private/plugins/my_image/image.php.
This is the default name of images uploaded via the plugin.

4. Code


if( $plugin->init_db() )
{
// upload files
foreach($_FILES as $field_name=>$file)
{
$extension = strtolower(pathinfo($file['name'],
PATHINFO_EXTENSION));
$destination = PATH_PLUGINS_DB.$plugin->get_dir_name();
$complete = $destination.'/'.$field_name.'.'.$extension;

// Upload the new file and move
if(move_uploaded_file($file["tmp_name"], $complete))
{
// Resize images if requested by the plugin
if(isset($_POST[$field_name.'_resize']))
{
$width =
isset($_POST[$field_name.'_width'])?$_POST[$field_name.'_width']:200;
$height =
isset($_POST[$field_name.'_height'])?$_POST[$field_name.'_height']:200;
$option =
isset($_POST[$field_name.'_option'])?$_POST[$field_name.'_option']:'auto';
$quality =
isset($_POST[$field_name.'_quality'])?$_POST[$field_name.'_quality']:100;

$Resize->setImage($complete, $width, $height, $option);
$Resize->saveImage($complete, $quality, true);
}
}
}

unset($_POST['plugin']);

// update fields
$plugin->set_fields_db($_POST);

Session::set_alert($_LANG['CHANGES_HAS_BEEN_SAVED_SUCCESSFULLY']);
}
}

5. Solution

This issue was not fixed by the vendor.

6. Report Timeline

07/21/2015 Informed Vendor about Issue
07/22/2015 Vendor Replied
08/18/2015 Reminded Vendor of release date (no reply)
09/01/2015 Disclosed to public

7. Blog Reference
http://blog.curesec.com/article/blog/NibbleBlog-403-Code-Execution-47.html


Login or Register to add favorites

File Archive:

June 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    35 Files
  • 2
    Jun 2nd
    14 Files
  • 3
    Jun 3rd
    40 Files
  • 4
    Jun 4th
    22 Files
  • 5
    Jun 5th
    1 Files
  • 6
    Jun 6th
    1 Files
  • 7
    Jun 7th
    19 Files
  • 8
    Jun 8th
    14 Files
  • 9
    Jun 9th
    39 Files
  • 10
    Jun 10th
    20 Files
  • 11
    Jun 11th
    22 Files
  • 12
    Jun 12th
    2 Files
  • 13
    Jun 13th
    1 Files
  • 14
    Jun 14th
    32 Files
  • 15
    Jun 15th
    34 Files
  • 16
    Jun 16th
    9 Files
  • 17
    Jun 17th
    33 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    0 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close