Description
References (Source):
http://www.vulnerability-lab.com/get_content.php?id=1367
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9185
CVE-ID:
Technical Details & Description:
A command execution web vulnerability has been discovered in the official Morfy v1.05 Content Management System.
The vulnerability allows an attacker to unauthorized execution system specific commands that compromises the online
web-application or connected dbms.
The vulnerability is located in the site_url parameter of the default content management system install.php file.
Remote attackers are able to execute system specific commands to compromise the application by usage of malicious
requests that run through the vulnerable site_url value. The request method to inject the code is POST via Add.
The security risk of the vulnerability is estimated as critical with a cvss (common vulnerability scoring system)
count of 5.2. Exploitation of the web vulnerability requires no privileged application user account or user interaction.
Successful exploitation of the command execution vulnerability results in content management system compromise.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] Install
Vulnerable File(s):
[+] install.php
Vulnerable Parameter(s):
[+] site_url
Proof of Concept (PoC):
The vulnerability can be exploited by remote attackers without user interaction or privileged application user account.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.
Manual steps to reproduce the security vulnerability ...
- Download the morfy content management system
- Use the default and access the installation file (install.php)
- Inject the following payload
website.com}','yibelo'=> eval("system('dir');"),(as website url) by usage of the Add function - Then navigate to site.com/config.php which shall get executed because that will result site_url'='website.com}','yibelo'=>eval("system('dir');"),//',
- Successful reproduce of the security vulnerability!
Vulnerable Source: install.php < config.php
./install.php Line 57
$post_site_url = isset($_POST['site_url']) ? $_POST['site_url'] : '';
./install.php Line 64-77
file_put_contents('config.php', "<?php
return array(
'site_url' => '{$post_site_url}',
'site_charset' => 'UTF-8',
'site_timezone' => '{$post_site_timezone}',
'site_theme' => 'default',
'site_title' => '{$post_site_title}',
'site_description' => '{$post_site_description}',
'site_keywords' => '{$post_site_keywords}',
'email' => '{$post_email}',
'plugins' => array(
'markdown',
'sitemap',
), );");
Reference(s):
http://morfy.127.0.0.1:8080/install.php
http://morfy.127.0.0.1:8080/config.php