Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
My-CVE-IDs/CVE-2019-12150/Karamasoft Arbitrary File Upload
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
46 lines (41 sloc)
1.79 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| > Vendor: Karamasoft | |
| > CVE ID: CVE-2019-12150 | |
| > Discoverer: Arvin Christopher Moreno | |
| > Date Fixed: May 17, 2019 | |
| [Description] | |
| > UltimateEditor 1 does not ensure that an uploaded file is an image or document | |
| > (neither file types nor extensions are restricted). The attacker must use the Attach icon to perform an upload. | |
| > An uploaded file is accessible under the UltimateEditorInclude/UserFiles/ URI. | |
| > | |
| > ------------------------------------------ | |
| > This vulnerability lets me upload arbitrary files to the file system. | |
| > UltimateEditor's upload path does not restrict file types/extensions | |
| > and because of this, was able to upload PHP5 and ASPX files on their | |
| > file system. Using the ASPX shell, I was able to execute codes on the | |
| > targets server. I was able to exploit this vulnerability on | |
| > karamasoft's website itself >> https://www.karamasoft.com . Here are | |
| > the steps of the exploitation: | |
| [Exploitation] | |
| > Go to www.karamasoft.com, click UltimateEditor on their homepage. | |
| > Now, click the Live Demo. | |
| > Click the Attach icon on the UltimateEditor and a small window should pop up. | |
| > Click browse then file system would pop up and shows the upload path. | |
| > upload your ASPX shell. | |
| > | |
| > Now here is a slightly tricky part. | |
| > | |
| > Click your ASPX shell. It doesn't preview right ? | |
| > To solve this problem, click one of the uploaded images. It previews. | |
| > Now, right click on the image and click view image. Then it shows you the file path. | |
| > | |
| > File Path: | |
| > https://www.karamasoft.com/UltimateEditorInclude/UserFiles/Desert.jpg | |
| > | |
| > erase the image file name and replace it with the name + extension of your shell. | |
| > | |
| > Example: | |
| > | |
| > https://www.karamasoft.com/UltimateEditorInclude/UserFiles/shell.aspx | |
| > | |
| > Gratz! You now have a shell access on the website/server. | |
| [END] |