Subdreamer.v3.0.1 cms upload Vulnerability

vendor:

Subdreamer CMS

by:

indoushka

7,5

CVSS

HIGH

Upload Vulnerability

434

CWE

Product Name: Subdreamer CMS

Affected Version From: 3.0.1

Affected Version To: 3.0.1

Patch Exists: Yes

Related CWE: N/A

CPE: a:subdreamer:subdreamer_cms:3.0.1

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows, Linux

2009

Subdreamer.v3.0.1 cms upload Vulnerability

Subdreamer.v3.0.1 cms is vulnerable to an upload vulnerability. An attacker can register on the website and then use tamper data to insert an image into the website. This can be exploited to upload malicious files and gain access to the website.

Mitigation:

Ensure that the website is running the latest version of Subdreamer.v3.0.1 cms and that all security patches are applied.

Source

Exploit-DB raw data:

========================================================================================
| # Title    : Subdreamer.v3.0.1 cms upload Vulnerability
| # Author   : indoushka
| # email    : indoushka@hotmail.com
| # Home     : www.h4kz.com
| # Web Site :
| # Dork     : Website powered by Subdreamer CMS & Sequel Theme Designed by indiqo.media                                                            $
| # Tested on: windows SP2 Fran&#65533;ais V.(Pnx2 2.0) + Lunix Fran&#65533;ais v.(9.4 Ubuntu)
| # Bug      : upload
======================      Exploit By indoushka       =================================
# Exploit  :



1- to Register go to : http://127.0.0.1/upload/index.php?categoryid=6

2- after Register go to http://127.0.0.1/upload/index.php?categoryid=3&p17_sectionid=2&p17_action=insertimage (and use tamper data)


Dz-Ghost Team ===== Saoucha * Star08 * Redda * Silitoad * Xproratix ==========================================
Greetz :
Exploit-db Team :
(loneferret+Exploits+dookie2000ca)
all my friend :
His0k4 * Hussin-X * Rafik (www.Tinjah.com) * Yashar (www.sc0rpion.ir) SoldierOfAllah (www.m4r0c-s3curity.cc)
www.owned-m.com * Stake (www.v4-team.com) * www.securitywall.org * r1z (www.sec-r1z.com)
www.securityreason.com * www.packetstormsecurity.org * www.m-y.cc * Cyb3r IntRue (avengers team)
www.hacker.ps * www.no-exploit.com * www.bawassil.com * www.xp10.me * www.mormoroth.net
www.alkrsan.net * www.kadmiwe.net * www.arhack.net * D4NB4R http://www.ilegalintrusion.net/foro/
--------------------------------------------------------------------------------------------------------------