CVE-2015-7309
published 2015-09-22CVE-2015-7309: The theme editor in Bolt before 2.2.5 does not check the file extension when renaming files, which allows remote authenticated users to execute arbitrary code…
PriorityP354medium6.5CVSS 2.0
AVNACLAuSCPIPAP
EXPLOIT
EPSS
38.61%
98.4th percentile
The theme editor in Bolt before 2.2.5 does not check the file extension when renaming files, which allows remote authenticated users to execute arbitrary code by renaming a crafted file and then directly accessing it.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| boltcms | bolt | <= 2.2.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
commandPOST /async/renamefile namespace=theme&parent=<foldername>&oldname=<payload>.png&newname=<payload>.php↗
- →Monitor POST requests to /async/renamefile with a 'newname' parameter ending in .php — this is the rename step that converts an uploaded image to an executable PHP file. ↗
- →Detect multipart file uploads to /bolt/files/theme/* where the uploaded filename has an image extension (e.g. .png) but content is PHP code. ↗
- →Alert on GET requests to /theme/<foldername>/*.php immediately after a rename operation — this is the webshell execution step. ↗
- →Check for the version banner string 'Bolt 2.2.4: Sophisticated, lightweight & simple CMS' in HTTP responses to identify vulnerable targets. ↗
- →Authenticated POST to /bolt/login with action=login followed immediately by POST to /async/renamefile is a strong behavioral indicator of this exploit chain. ↗
- ·Exploit requires valid authenticated credentials; the vulnerability is only exploitable by authenticated users with theme editor access. ↗
- ·The default theme folder targeted by the Metasploit module is 'base-2014'; defenders should check all theme subdirectories under /theme/ for unexpected .php files. ↗
- ·The module was tested specifically against Bolt 2.2.4; the NVD advisory states all versions before 2.2.5 are affected. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
CMS Bolt - Arbitrary File Upload (Metasploit)
exploitdb·2015-09-15
CVE-2015-7309 CMS Bolt - Arbitrary File Upload (Metasploit)
CMS Bolt - Arbitrary File Upload (Metasploit)
---
##
# This module requires Metasploit: http://www.metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 'CMS Bolt File Upload Vulnerability',
'Description' => %q{
Bolt CMS contains a flaw that allows an authenticated remote
attacker to execute arbitrary PHP code. This module was
tested on version 2.2.4.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Tim Coen', # Vulnerability Disclosure
'Roberto Soares Espreto ' # Metasploit Module
],
'References' =>
[
['URL', 'http://blog.curesec.com/article/blog/Bolt-224-Code-Execution-44.html']
],
'DisclosureDate' => 'Aug 17 2015',
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' => [['Bolt 2.2.4', {}]],
'DefaultTarget' => 0
))
Metasploit
CMS Bolt File Upload Vulnerability
metasploit
CMS Bolt File Upload Vulnerability
CMS Bolt File Upload Vulnerability
Bolt CMS contains a flaw that allows an authenticated remote attacker to execute arbitrary PHP code. This module was tested on version 2.2.4.
No writeups or analysis indexed.
http://blog.curesec.com/article/blog/Bolt-224-Code-Execution-44.htmlhttp://packetstormsecurity.com/files/133539/CMS-Bolt-2.2.4-File-Upload.htmlhttp://seclists.org/fulldisclosure/2015/Aug/66http://www.rapid7.com/db/modules/exploit/multi/http/bolt_file_uploadhttps://bolt.cm/newsitem/bolt-2-2-5-releasedhttps://www.exploit-db.com/exploits/38196/http://blog.curesec.com/article/blog/Bolt-224-Code-Execution-44.htmlhttp://packetstormsecurity.com/files/133539/CMS-Bolt-2.2.4-File-Upload.htmlhttp://seclists.org/fulldisclosure/2015/Aug/66http://www.rapid7.com/db/modules/exploit/multi/http/bolt_file_uploadhttps://bolt.cm/newsitem/bolt-2-2-5-releasedhttps://www.exploit-db.com/exploits/38196/
2015-09-22
Published