CVE-2015-6967
published 2015-09-16CVE-2015-6967: Unrestricted file upload vulnerability in the My Image plugin in Nibbleblog before 4.0.5 allows remote administrators to execute arbitrary code by uploading a…
PriorityP264medium6.5CVSS 2.0
AVNACLAuSCPIPAP
EXPLOIT
EPSS
49.31%
98.7th percentile
Unrestricted file upload vulnerability in the My Image plugin in Nibbleblog before 4.0.5 allows remote administrators to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in content/private/plugins/my_image/image.php.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nibbleblog | nibbleblog | <= 4.0.4 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect POST requests to admin.php with query parameters controller=plugins&action=config&plugin=my_image containing a multipart upload of a .php file — this is the exploit upload vector. ↗
- →Detect GET requests to content/private/plugins/my_image/image.php — this path is directly requested to trigger execution of the uploaded PHP payload. ↗
- →The uploaded payload filename is always renamed to image.php by Nibbleblog regardless of the original upload filename; monitor for creation of or access to this file under the my_image plugin directory. ↗
- →Check for the version string 'Nibbleblog 4.0.3 "Coffee"' in HTTP responses to identify vulnerable targets being fingerprinted by attackers. ↗
- ·Exploitation requires valid administrator credentials; the vulnerability is not unauthenticated. Brute-force or credential stuffing against admin.php may precede the upload. ↗
- ·The My Image plugin must be installed on the target Nibbleblog instance for the upload endpoint to exist; absence of the plugin will cause the exploit to fail. ↗
- ·Affected versions are Nibbleblog before 4.0.5; version 4.0.3 is confirmed vulnerable. The fix was introduced in 4.0.5. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Nibbleblog 4.0.3 - Arbitrary File Upload (Metasploit)
exploitdb·2015-10-19
CVE-2015-6967 Nibbleblog 4.0.3 - Arbitrary File Upload (Metasploit)
Nibbleblog 4.0.3 - Arbitrary File Upload (Metasploit)
---
##
# This module requires Metasploit: http://www.metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 'Nibbleblog File Upload Vulnerability',
'Description' => %q{
Nibbleblog contains a flaw that allows a authenticated remote
attacker to execute arbitrary PHP code. This module was
tested on version 4.0.3.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Unknown', # Vulnerability Disclosure - Curesec Research Team. Author's name?
'Roberto Soares Espreto ' # Metasploit Module
],
'References' =>
[
['URL', 'http://blog.curesec.com/article/blog/NibbleBlog-403-Code-Execution-47.html']
],
'DisclosureDate' => 'Sep 01 2015',
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Ta
Metasploit
Nibbleblog File Upload Vulnerability
metasploit
Nibbleblog File Upload Vulnerability
Nibbleblog File Upload Vulnerability
Nibbleblog contains a flaw that allows an authenticated remote attacker to execute arbitrary PHP code. This module was tested on version 4.0.3.
No writeups or analysis indexed.
http://blog.curesec.com/article/blog/NibbleBlog-403-Code-Execution-47.htmlhttp://blog.nibbleblog.com/post/nibbleblog-v4-0-5/http://packetstormsecurity.com/files/133425/NibbleBlog-4.0.3-Shell-Upload.htmlhttp://seclists.org/fulldisclosure/2015/Sep/5http://blog.curesec.com/article/blog/NibbleBlog-403-Code-Execution-47.htmlhttp://blog.nibbleblog.com/post/nibbleblog-v4-0-5/http://packetstormsecurity.com/files/133425/NibbleBlog-4.0.3-Shell-Upload.htmlhttp://seclists.org/fulldisclosure/2015/Sep/5
2015-09-16
Published