Menu

Search for hundreds of thousands of exploits

"Elcom CMS 7.4.10 - Community Manager Insecure Arbitrary File Upload"

Author

Exploit author

"Sense of Security"

Platform

Exploit platform

asp

Release date

Exploit published date

2012-08-27

Download file

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
Elcom CMS - Community Manager Insecure File Upload Vulnerability - Security 
Advisory - SOS-12-008


Release Date.              24-Aug-2012
Last Update.               -
Vendor Notification Date.  28-Oct-2011
Product.                   Elcom CMS - Community Manager
Platform.                  ASP.NET
Affected versions.         Elcom Community Manager version 7.4.10 and 
possibly others
Severity Rating.           High
Impact.                    Exposure of system information
                           Exposure of sensitive information
                           System Access
Attack Vector.             Remote with authentication
Solution Status.           Fixed in version 7.5 and later (not verified by 
SOS)
CVE reference.             CVE - not yet assigned

Details.
The https://[server]/UploadStyleSheet.aspx script does not validate the file 
type passed in the parameter "myfile0" on the server side allowing the 
uploading and execution of ASPX files. An attacker can upload an ASPX web 
shell and execute commands with web server user privileges.

Proof of Concept (port scanning).
A shell uploaded using the vulnerable 
(https://[server]/UploadStyleSheet.aspx) script can be accessed at the 
following location: https://[server]/UserUploadedStyles/shell.aspx

Solution.
Upgrade to version 7.5 or later.

Discovered by.
Phil Taylor and Nadeem Salim from Sense of Security Labs.

About us.
Sense of Security is a leading provider of information security and
risk management solutions. Our team has expert skills in assessment
and assurance, strategy and architecture, and deployment through to
ongoing management. We are Australia's premier application penetration
testing firm and trusted IT security advisor to many of the country's
largest organisations.

Sense of Security Pty Ltd
Level 8, 66 King St
Sydney NSW 2000
AUSTRALIA

T: +61 (0)2 9290 4444
F: +61 (0)2 9290 4455
W: http://www.senseofsecurity.com.au/consulting/penetration-testing
E: info@senseofsecurity.com.au
Twitter: @ITsecurityAU

The latest version of this advisory can be found at:
http://www.senseofsecurity.com.au/advisories/SOS-12-008.pdf

Other Sense of Security advisories can be found at:
http://www.senseofsecurity.com.au/research/it-security-advisories.php
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-07-10 "HelloWeb 2.0 - Arbitrary File Download" webapps asp bRpsd
2020-03-16 "Enhanced Multimedia Router 3.0.4.27 - Cross-Site Request Forgery (Add Admin)" webapps asp "Miguel Mendez Z"
2020-01-24 "OLK Web Store 2020 - Cross-Site Request Forgery" webapps asp "Joel Aviad Ossi"
2019-12-18 "Rumpus FTP Web File Manager 8.2.9.1 - Reflected Cross-Site Scripting" webapps asp "Harshit Shukla"
2019-11-18 "Crystal Live HTTP Server 6.01 - Directory Traversal" webapps asp "numan türle"
2019-08-16 "Web Wiz Forums 12.01 - 'PF' SQL Injection" webapps asp n1x_
2019-05-06 "microASP (Portal+) CMS - 'pagina.phtml?explode_tree' SQL Injection" webapps asp "felipe andrian"
2019-02-12 "Skyworth GPON HomeGateways and Optical Network Terminals - Stack Overflow" dos asp "Kaustubh G. Padwad"
2018-11-05 "Advantech WebAccess SCADA 8.3.2 - Remote Code Execution" webapps asp "Chris Lyne"
2018-05-29 "IssueTrak 7.0 - SQL Injection" webapps asp "Chris Anastasio"
Release Date Title Type Platform Author
2013-11-12 "Juniper Junos J-Web - Privilege Escalation" webapps php "Sense of Security"
2013-04-08 "Google AD Sync Tool - Exposure of Sensitive Information" local multiple "Sense of Security"
2012-11-30 "SilverStripe CMS 3.0.2 - Multiple Vulnerabilities" webapps php "Sense of Security"
2012-09-05 "Ektron CMS 8.5.0 - Multiple Vulnerabilities" webapps asp "Sense of Security"
2012-08-27 "Elcom CMS 7.4.10 - Community Manager Insecure Arbitrary File Upload" webapps asp "Sense of Security"
2012-06-18 "QNAP Turbo NAS 3.6.1 Build 0302T - Multiple Vulnerabilities" webapps hardware "Sense of Security"
2012-03-07 "Iciniti Store - SQL Injection" webapps asp "Sense of Security"
2012-03-05 "Symfony2 - Local File Disclosure" webapps php "Sense of Security"
2012-02-23 "Snom IP Phone - Privilege Escalation" webapps hardware "Sense of Security"
2011-10-17 "WordPress Plugin BackWPUp 2.1.4 - Code Execution" webapps php "Sense of Security"
2011-09-20 "NETGEAR Wireless Cable Modem Gateway - Authentication Bypass / Cross-Site Request Forgery" webapps hardware "Sense of Security"
2011-09-19 "Cisco TelePresence SOS-11-010 - Multiple Vulnerabilities" webapps hardware "Sense of Security"
2011-07-20 "Oracle Sun GlassFish Enterprise Server - Persistent Cross-Site Scripting" webapps jsp "Sense of Security"
2011-06-18 "Cisco Unified Operations Manager 8.5 - 'iptm/ddv.do?deviceInstanceName' Cross-Site Scripting" remote hardware "Sense of Security"
2011-06-18 "Cisco Unified Operations Manager 8.5 - '/iptm/logicalTopo.do' Multiple Cross-Site Scripting Vulnerabilities" remote hardware "Sense of Security"
2011-06-18 "Cisco Unified Operations Manager 8.5 - '/iptm/faultmon/ui/dojo/Main/eventmon_wrapper.jsp' Multiple Cross-Site Scripting Vulnerabilities" remote hardware "Sense of Security"
2011-06-18 "Cisco Unified Operations Manager 8.5 - iptm/eventmon Multiple Cross-Site Scripting Vulnerabilities" remote hardware "Sense of Security"
2011-06-18 "Cisco Unified Operations Manager 8.5 - 'iptm/advancedfind.do?extn' Cross-Site Scripting" remote hardware "Sense of Security"
2011-05-20 "PHP Captcha / Securimage 2.0.2 - Authentication Bypass" webapps php "Sense of Security"
2011-05-18 "Cisco Unified Operations Manager 8.5 - Common Services Device Center Cross-Site Scripting" remote hardware "Sense of Security"
2011-05-18 "Cisco Unified Operations Manager - Multiple Vulnerabilities" remote windows "Sense of Security"
2011-05-18 "CiscoWorks Common Services 3.1.1 - Auditing Directory Traversal" webapps java "Sense of Security"
2011-05-18 "CiscoWorks Common Services Framework 3.1.1 Help Servlet - Cross-Site Scripting" remote hardware "Sense of Security"
2011-04-15 "cPassMan 1.82 - Arbitrary File Download" webapps php "Sense of Security"
2011-03-28 "WordPress Plugin BackWPup - Remote Code Execution / Local Code Execution" webapps php "Sense of Security"
2010-12-20 "Elcom CommunityManager.NET - Authentication Bypass" webapps asp "Sense of Security"
2009-08-12 "Plume CMS 1.2.3 - Multiple SQL Injections" webapps php "Sense of Security"
2009-06-30 "XOOPS 2.3.3 - 'op' Multiple Cross-Site Scripting Vulnerabilities" webapps php "Sense of Security" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected