This Metasploit module exploits an authenticated path traversal vulnerability found in LimeSurvey versions between 4.0 and 4.1.11 with CVE-2020-11455 or less than or equal to 3.15.9 with CVE-2019-9960, inclusive. In CVE-2020-11455 the getZipFile function within the filemanager functionality allows for arbitrary file download. The file retrieved may be deleted after viewing, which was confirmed in testing. In CVE-2019-9960 the szip function within the downloadZip functionality allows for arbitrary file download. Verified against 4.1.11-200316, 3.15.0-181008, 3.9.0-180604, 3.6.0-180328, 3.0.0-171222, and 2.70.0-170921.
9f74526757273c5edcea64339d62718ea0a109843590d25d98a39b5da99e5413LimeSurvey version 4.1.11 suffers from a Survey Groups persistent cross site scripting vulnerability.
df3e45472fe0c92c7d67f5d5dc0037bf3764a1c3defb70f0ed668401e0954839LimeSurvey version 4.1.11 suffers from a File Manager path traversal vulnerability.
bf5a0e91bdbc5c3f5a359190e6096a3b9eeab16103c3bf4d7cd42dc1a31b6492rConfig version 3.9.4 suffers from a search.crud.php remote command injection vulnerability.
46da4988737c90304318720180a381f97a3554b50c1410cead0b35bc43ad5e5dThis Metasploit module exploits a vulnerability that exists due to a lack of input validation when creating a user. Messages for a given user are stored in a directory partially defined by the username. By creating a user with a directory traversal payload as the username, commands can be written to a given directory. To use this module with the cron exploitation method, run the exploit using the given payload, host, and port. After running the exploit, the payload will be executed within 60 seconds. Due to differences in how cron may run in certain Linux operating systems such as Ubuntu, it may be preferable to set the target to Bash Completion as the cron method may not work. If the target is set to Bash completion, start a listener using the given payload, host, and port before running the exploit. After running the exploit, the payload will be executed when a user logs into the system. For this exploitation method, bash completion must be enabled to gain code execution. This exploitation method will leave an Apache James mail object artifact in the /etc/bash_completion.d directory and the malicious user account.
38aec6cad30d28bc144df66f4ad6d698b59a52c8a529a3cc66391e571ee852c6
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed