header-logo
Suggest Exploit
vendor:
WolfCMS
by:
Narendra Bhati
8,8
CVSS
HIGH
Arbitrary File Upload To Command Execution
434
CWE
Product Name: WolfCMS
Affected Version From: 0.8.2
Affected Version To: 0.8.2
Patch Exists: YES
Related CWE: CVE-2015-6567, CVE-2015-6568
CPE: WolfCMS
Metasploit: https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2015-0116/https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2015-0117/https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2015-0118/https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2015-1628/https://www.rapid7.com/db/vulnerabilities/centos_linux-cve-2014-6568/
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: None
2015

Wolf CMS 0.8.2 Arbitrary File Upload To Command Execution

Every registered users who have access of upload functionality can upload an Arbitrary File Upload To perform Command Execution. The vulnerable URL is http://targetsite.com/wolfcms/?/admin/plugin/file_manager/browse/ and the vulnerable parameter is 'filename'. To exploit this vulnerability, a user must login as a regular user with access to upload functionality, go to the vulnerable URL, select the upload an file option to upload an arbitrary file (e.g. 'hello.php'), and then access the file at http://targetsite.com/wolfcms/public/hello.php.

Mitigation:

Update to version 0.8.3.1
Source

Exploit-DB raw data:

# Exploit Title    : Wolf CMS 0.8.2  Arbitrary File Upload To Command
Execution
# Reported Date    : 05-May-2015
# Fixed Date       : 10-August-2015
# Exploit Author   : Narendra Bhati
# CVE ID           : CVE-2015-6567 , CVE-2015-6568
# Contact:
* Facebook         : https://facebook.com/narendradewsoft
*Twitter           : http://twitter.com/NarendraBhatiB
# Website          : http://websecgeeks.com
# Additional Links -
* https://github.com/wolfcms/wolfcms/releases/
* https://www.wolfcms.org/blog/2015/08/10/releasing-wolf-cms-0-8-3-1.html

#For POC -
http://websecgeeks.com/wolf-cms-arbitrary-file-upload-to-command-execution/

1. Description

Every registered users who have access of upload functionality can upload
an Arbitrary File Upload To perform Command Execution

Vulnerable URL

http://targetsite.com/wolfcms/?/admin/plugin/file_manager/browse/

Vulnerable Parameter

"filename"


2. Proof of Concept

A)Login as regular user ( who have access upload functionality )

B)Go to this page  -
http://targetsite.com/wolfcms/?/admin/plugin/file_manager/browse/

C)Select upload an file option to upload Arbitary File ( filename ex:
"hello.php" )

D)Now you can access the file by here -
http://targetsite.com/wolfcms/public/hello.php


3. Solution:

Update to version 0.8.3.1
http://www.wolfcms.org/download.html

=============

-- 
*Narendra Bhati "CEH" **( Facebook
<http://www.facebook.com/narendradewsoft> , Twitter
<http://www.twitter.com/NarendraBhatiB> , LinkedIn
<https://www.linkedin.com/profile/view?id=115146074> , Personal Blog )*
*Security Analyst - IT Risk & Security Management Services*
Suma Soft Pvt. Ltd. | Suma Center | Near Mangeshkar Hospital | Erandawane
Pune: 411004 |

*======================================================================*

Navigation

Suggest Exploit

Services By CQR