Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time
> Vendor: Karamasoft
> CVE ID: CVE-2019-12150
> Discoverer: Arvin Christopher Moreno
> Date Fixed: May 17, 2019
[Description]
> UltimateEditor 1 does not ensure that an uploaded file is an image or document
> (neither file types nor extensions are restricted). The attacker must use the Attach icon to perform an upload.
> An uploaded file is accessible under the UltimateEditorInclude/UserFiles/ URI.
>
> ------------------------------------------
> This vulnerability lets me upload arbitrary files to the file system.
> UltimateEditor's upload path does not restrict file types/extensions
> and because of this, was able to upload PHP5 and ASPX files on their
> file system. Using the ASPX shell, I was able to execute codes on the
> targets server. I was able to exploit this vulnerability on
> karamasoft's website itself >> https://www.karamasoft.com . Here are
> the steps of the exploitation:
[Exploitation]
> Go to www.karamasoft.com, click UltimateEditor on their homepage.
> Now, click the Live Demo.
> Click the Attach icon on the UltimateEditor and a small window should pop up.
> Click browse then file system would pop up and shows the upload path.
> upload your ASPX shell.
>
> Now here is a slightly tricky part.
>
> Click your ASPX shell. It doesn't preview right ?
> To solve this problem, click one of the uploaded images. It previews.
> Now, right click on the image and click view image. Then it shows you the file path.
>
> File Path:
> https://www.karamasoft.com/UltimateEditorInclude/UserFiles/Desert.jpg
>
> erase the image file name and replace it with the name + extension of your shell.
>
> Example:
>
> https://www.karamasoft.com/UltimateEditorInclude/UserFiles/shell.aspx
>
> Gratz! You now have a shell access on the website/server.
[END]