Skip to content

Arbitrary file upload vulnerbility in WBCE CMS 1.4.0

kbgsft edited this page May 24, 2020 · 6 revisions

Discoverer : xcuter in NBP (NAVER BUSINESS PLATFORM - https://www.ncloud.com)

1. Upload malicious .php file as .jpg

2. Change the file name to "xxx.ph" and the extension to "p"

3. Direct access to uploaded and renamed file

4. How to find this vulnerability?

The "Web Security Checker" automatically diagnoses vulnerabilities in Web services. It can diagnose the following vulnerabilities : SQL Injection, XSS, LFI, RFI, SSRF, File Upload, File Download, XXE, Command Injection, File management, Direcroty Listing, Source Code Disclosure, URL Redirection, Insecure SSL/TLS, Mixed Content, Specific Vulnerabilities(CVE ShellShock, etc.)

https://www.ncloud.com/product/security/webSecurityChecker