CVE-2015-6567
published 2017-04-14CVE-2015-6567: Wolf CMS before 0.8.3.1 allows unrestricted file upload and PHP Code Execution because admin/plugin/file_manager/browse/ (aka the filemanager) does not…
PriorityP265high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
10.84%
95.3th percentile
Wolf CMS before 0.8.3.1 allows unrestricted file upload and PHP Code Execution because admin/plugin/file_manager/browse/ (aka the filemanager) does not validate the parameter "filename" properly. Exploitation requires a registered user who has access to upload functionality.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wolfcms | wolf_cms | <= 0.8.3 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP POST requests to the file manager upload endpoint (/?/admin/plugin/file_manager/upload/) containing multipart/form-data with a PHP file extension in the filename parameter. ↗
- →Alert on HTTP GET requests to /wolfcms/public/*.php, which indicates execution of an uploaded PHP webshell in the public directory. ↗
- →The vulnerable parameter is 'filename' in the file manager browse/upload functionality; inspect multipart upload requests for PHP file extensions in this parameter. ↗
- →Uploaded PHP payloads are accessible under the /wolfcms/public/ path immediately after upload; monitor web server access logs for .php file access under this directory. ↗
- ·Exploitation requires an authenticated session; the attacker must first obtain valid credentials for a user with upload/file manager access before the file upload attack can proceed. ↗
- ·The Metasploit module extracts a CSRF token from the file manager browse page before uploading; detection logic should account for a GET to the browse page immediately followed by a POST to the upload endpoint from the same session. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Wolf CMS 0.8.2 - Arbitrary File Upload (Metasploit)
exploitdb·2016-06-22
CVE-2015-6567 Wolf CMS 0.8.2 - Arbitrary File Upload (Metasploit)
Wolf CMS 0.8.2 - Arbitrary File Upload (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule 'Wolfcms 0.8.2 Arbitrary PHP File Upload Vulnerability',
'Description' => %q{
This module exploits a file upload vulnerability in Wolfcms
version 0.8.2. This application has an upload feature that
allows an authenticated user with administrator roles to upload
arbitrary files to the '/public' directory.
},
'Author' => [
'Narendra Bhati', # Proof of concept
'Rahmat Nurfauzi' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2015-6568'],
['CVE', '2015-6567'],
['OSVDB','126852'],
['EDB', '38000'],
],
'Platform' => ['php'],
'Arch' =>
Exploit-DB
Wolf CMS - Arbitrary File Upload / Execution
exploitdb·2015-08-28·CVSS 8.8
CVE-2015-6568 [HIGH] Wolf CMS - Arbitrary File Upload / Execution
Wolf CMS - Arbitrary File Upload / Execution
---
# Exploit Title : Wolf CMS 0.8.2 Arbitrary File Upload To Command
Execution
# Reported Date : 05-May-2015
# Fixed Date : 10-August-2015
# Exploit Author : Narendra Bhati
# CVE ID : CVE-2015-6567 , CVE-2015-6568
# Contact:
* Facebook : https://facebook.com/narendradewsoft
*Twitter : http://twitter.com/NarendraBhatiB
# Website : http://websecgeeks.com
# Additional Links -
* https://github.com/wolfcms/wolfcms/releases/
* https://www.wolfcms.org/blog/2015/08/10/releasing-wolf-cms-0-8-3-1.html
#For POC -
http://websecgeeks.com/wolf-cms-arbitrary-file-upload-to-command-execution/
1. Description
Every registered users who have access of upload functionality can upload
an Arbitrary File Upload To perform Command Execution
Vulnerable URL
http:
No writeups or analysis indexed.
http://www.websecgeeks.com/2015/08/wolf-cms-arbitrary-file-upload-to.htmlhttps://github.com/wolfcms/wolfcms/commit/2160275b60736f706dfda132c7c46728c5b255fahttps://github.com/wolfcms/wolfcms/issues/625https://github.com/wolfcms/wolfcms/releases/tag/0.8.3.1https://www.exploit-db.com/exploits/38000/https://www.exploit-db.com/exploits/40004/https://www.wolfcms.org/blog/2015/08/10/releasing-wolf-cms-0-8-3-1.htmlhttp://www.websecgeeks.com/2015/08/wolf-cms-arbitrary-file-upload-to.htmlhttps://github.com/wolfcms/wolfcms/commit/2160275b60736f706dfda132c7c46728c5b255fahttps://github.com/wolfcms/wolfcms/issues/625https://github.com/wolfcms/wolfcms/releases/tag/0.8.3.1https://www.exploit-db.com/exploits/38000/https://www.exploit-db.com/exploits/40004/https://www.wolfcms.org/blog/2015/08/10/releasing-wolf-cms-0-8-3-1.html
2017-04-14
Published