vendor:
Portals Pluto
by:
Che-Chun Kuo
7.5
CVSS
HIGH
Remote Code Execution
79
CWE
Product Name: Portals Pluto
Affected Version From: 3.0.0
Affected Version To: 3.0.0
Patch Exists: NO
Related CWE: CVE-2018-1306
CPE: a:apache:portals_pluto:3.0.0
Metasploit:
https://www.rapid7.com/db/vulnerabilities/amazon_linux-cve-2018-18661/, https://www.rapid7.com/db/vulnerabilities/amazon_linux-cve-2018-18557/, https://www.rapid7.com/db/vulnerabilities/amazon_linux-cve-2018-17100/, https://www.rapid7.com/db/vulnerabilities/amazon_linux-cve-2018-17101/, https://www.rapid7.com/db/vulnerabilities/amazon_linux-cve-2018-12900/, https://www.rapid7.com/db/vulnerabilities/amazon_linux-cve-2018-10963/, https://www.rapid7.com/db/vulnerabilities/amazon_linux-cve-2018-10779/, https://www.rapid7.com/db/vulnerabilities/amazon_linux-cve-2018-8905/, https://www.rapid7.com/db/vulnerabilities/amazon_linux-cve-2018-7456/
Platforms Tested: Windows
2018
Apache Portals Pluto 3.0.0 – Remote Code Execution
Apache Pluto uses web.xml security constraints to control access to resources. These security constraints have been insecurely defined allowing authentication to be bypassed. An attacker can call the PortletV3AnnotatedDemo Multipart Portlet and upload an arbitrary file. The uploaded file is directly accessible within the /PortletV3AnnotatedDemo/temp/ directory. This technique allows an unauthenticated attacker to install a malicious JSP file and remotely execute code on a server running Apache Pluto. Apache Pluto's multipart file uploader is vulnerable to directory traversal. An attacker is able to upload a file outside the default /temp directory to an arbitrary location on the filesystem.
Mitigation:
This vulnerability was mitigated by moving the /temp directory outside the /webapps directory and under the Tomcat directory.
