CVE-2015-6568
published 2017-04-14CVE-2015-6568: Wolf CMS before 0.8.3.1 allows unrestricted file rename and PHP Code Execution because admin/plugin/file_manager/browse/ (aka the filemanager) does not prevent…
PriorityP264high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
10.55%
95.2th percentile
Wolf CMS before 0.8.3.1 allows unrestricted file rename and PHP Code Execution because admin/plugin/file_manager/browse/ (aka the filemanager) does not prevent a change of a file extension to ".php" after originally using the parameter "filename" for uploading a JPEG image. Exploitation requires a registered user who has access to upload functionality.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wolfcms | wolf_cms | <= 0.8.3 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP POST requests to the file_manager upload endpoint (/?/admin/plugin/file_manager/upload/) where the uploaded filename parameter contains a .php extension, indicating an attempt to upload a PHP webshell. ↗
- →Detect multipart/form-data POST requests to /?/admin/plugin/file_manager/upload/ followed by a GET request to /wolfcms/public/<random>.php, which is the Metasploit exploitation pattern for this CVE. ↗
- →Alert on any file with a .php extension appearing under the /wolfcms/public/ directory, as legitimate uploads should not place executable PHP files there. ↗
- →Monitor for the vulnerable parameter 'filename' in POST requests to the filemanager browse/upload path, especially when the value ends in .php. ↗
- →Inspect the Content-Type header of upload requests; the Metasploit module sends 'multipart/form-data; boundary=---------------------------<boundary>' to the upload endpoint — anomalous boundary patterns may indicate automated exploitation. ↗
- ·Exploitation requires an authenticated session; the attacker must first obtain valid credentials and log in via the admin login endpoint before abusing the file manager. ↗
- ·The Metasploit module targets Wolf CMS 0.8.2 specifically; the base URI defaults to '/wolfcms' but may differ in non-default deployments, affecting path-based detection rules. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vendor_redhat3.5LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-x5m3-795f-59g3: Wolf CMS before 0
ghsa_unreviewed·2022-05-17
CVE-2015-6568 [HIGH] CWE-20 GHSA-x5m3-795f-59g3: Wolf CMS before 0
Wolf CMS before 0.8.3.1 allows unrestricted file rename and PHP Code Execution because admin/plugin/file_manager/browse/ (aka the filemanager) does not prevent a change of a file extension to ".php" after originally using the parameter "filename" for uploading a JPEG image. Exploitation requires a registered user who has access to upload functionality.
Red Hat
mysql: unspecified vulnerability related to Server:InnoDB:DML (CPU Jan 2015)
vendor_redhat·2015-01-21·CVSS 3.5
CVE-2014-6568 [LOW] mysql: unspecified vulnerability related to Server:InnoDB:DML (CPU Jan 2015)
mysql: unspecified vulnerability related to Server:InnoDB:DML (CPU Jan 2015)
Unspecified vulnerability in Oracle MySQL Server 5.5.40 and earlier, and 5.6.21 and earlier, allows remote authenticated users to affect availability via vectors related to Server : InnoDB : DML.
Package: mysql (Red Hat Enterprise Linux 6) - Under investigation
No detection rules found.
Exploit-DB
Wolf CMS 0.8.2 - Arbitrary File Upload (Metasploit)
exploitdb·2016-06-22
CVE-2015-6567 Wolf CMS 0.8.2 - Arbitrary File Upload (Metasploit)
Wolf CMS 0.8.2 - Arbitrary File Upload (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule 'Wolfcms 0.8.2 Arbitrary PHP File Upload Vulnerability',
'Description' => %q{
This module exploits a file upload vulnerability in Wolfcms
version 0.8.2. This application has an upload feature that
allows an authenticated user with administrator roles to upload
arbitrary files to the '/public' directory.
},
'Author' => [
'Narendra Bhati', # Proof of concept
'Rahmat Nurfauzi' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2015-6568'],
['CVE', '2015-6567'],
['OSVDB','126852'],
['EDB', '38000'],
],
'Platform' => ['php'],
'Arch' =>
Exploit-DB
Wolf CMS - Arbitrary File Upload / Execution
exploitdb·2015-08-28·CVSS 8.8
CVE-2015-6568 [HIGH] Wolf CMS - Arbitrary File Upload / Execution
Wolf CMS - Arbitrary File Upload / Execution
---
# Exploit Title : Wolf CMS 0.8.2 Arbitrary File Upload To Command
Execution
# Reported Date : 05-May-2015
# Fixed Date : 10-August-2015
# Exploit Author : Narendra Bhati
# CVE ID : CVE-2015-6567 , CVE-2015-6568
# Contact:
* Facebook : https://facebook.com/narendradewsoft
*Twitter : http://twitter.com/NarendraBhatiB
# Website : http://websecgeeks.com
# Additional Links -
* https://github.com/wolfcms/wolfcms/releases/
* https://www.wolfcms.org/blog/2015/08/10/releasing-wolf-cms-0-8-3-1.html
#For POC -
http://websecgeeks.com/wolf-cms-arbitrary-file-upload-to-command-execution/
1. Description
Every registered users who have access of upload functionality can upload
an Arbitrary File Upload To perform Command Execution
Vulnerable URL
http:
http://www.websecgeeks.com/2015/08/wolf-cms-arbitrary-file-upload-to.htmlhttps://github.com/wolfcms/wolfcms/commit/2160275b60736f706dfda132c7c46728c5b255fahttps://github.com/wolfcms/wolfcms/issues/625https://github.com/wolfcms/wolfcms/releases/tag/0.8.3.1https://www.exploit-db.com/exploits/38000/https://www.exploit-db.com/exploits/40004/https://www.wolfcms.org/blog/2015/08/10/releasing-wolf-cms-0-8-3-1.htmlhttp://www.websecgeeks.com/2015/08/wolf-cms-arbitrary-file-upload-to.htmlhttps://github.com/wolfcms/wolfcms/commit/2160275b60736f706dfda132c7c46728c5b255fahttps://github.com/wolfcms/wolfcms/issues/625https://github.com/wolfcms/wolfcms/releases/tag/0.8.3.1https://www.exploit-db.com/exploits/38000/https://www.exploit-db.com/exploits/40004/https://www.wolfcms.org/blog/2015/08/10/releasing-wolf-cms-0-8-3-1.html
2017-04-14
Published