|
|
|
|
| |
| LightBlog provides "webmasters who don't have SQL databases with a fully featured blogging system. Using text files to store data, there's no need for complicated installation procedures or a potentially pricey hosting bill". A vulnerability in the way LightBlog handles uploaded images, allows remote attackers to upload a PHP file instead which then can be executed and in turn compromise the operating system where the LighBlog is installed. |
| |
Credit:
The information has been provided by Omni.
|
| |
Vulnerable Systems:
* LightBlog version 9.5
Immune Systems:
* LightBlog version 9.6
Arbitrary File Upload Vulnerability
A remote file upload vulnerability is present in LightBlog version 9.5. Users without permissions are able to upload any kind of files, also .php; so the attacker can upload their own remote PHP shell. The file vulnerable is: cp_upload_image.php, and you can find it under the root directory of the blog uploaded. (shown in the section PoC).
Proof of concept:
Access http://localhost/light/cp_upload_image.php
Then, just look for your PHP shell, upload it (shell.php) and then use it:
http://localhost/light/images/shell.php
|
|
|
|
|
|
|
