Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
47 lines (41 sloc) 1.79 KB
> Vendor: Karamasoft
> CVE ID: CVE-2019-12150
> Discoverer: Arvin Christopher Moreno
> Date Fixed: May 17, 2019
[Description]
> UltimateEditor 1 does not ensure that an uploaded file is an image or document
> (neither file types nor extensions are restricted). The attacker must use the Attach icon to perform an upload.
> An uploaded file is accessible under the UltimateEditorInclude/UserFiles/ URI.
>
> ------------------------------------------
> This vulnerability lets me upload arbitrary files to the file system.
> UltimateEditor's upload path does not restrict file types/extensions
> and because of this, was able to upload PHP5 and ASPX files on their
> file system. Using the ASPX shell, I was able to execute codes on the
> targets server. I was able to exploit this vulnerability on
> karamasoft's website itself >> https://www.karamasoft.com . Here are
> the steps of the exploitation:
[Exploitation]
> Go to www.karamasoft.com, click UltimateEditor on their homepage.
> Now, click the Live Demo.
> Click the Attach icon on the UltimateEditor and a small window should pop up.
> Click browse then file system would pop up and shows the upload path.
> upload your ASPX shell.
>
> Now here is a slightly tricky part.
>
> Click your ASPX shell. It doesn't preview right ?
> To solve this problem, click one of the uploaded images. It previews.
> Now, right click on the image and click view image. Then it shows you the file path.
>
> File Path:
> https://www.karamasoft.com/UltimateEditorInclude/UserFiles/Desert.jpg
>
> erase the image file name and replace it with the name + extension of your shell.
>
> Example:
>
> https://www.karamasoft.com/UltimateEditorInclude/UserFiles/shell.aspx
>
> Gratz! You now have a shell access on the website/server.
[END]
You can’t perform that action at this time.