module
October CMS Upload Protection Bypass Code Execution
| Disclosed | Created |
|---|---|
| 2017-04-25 | 2019-09-06 |
Disclosed
2017-04-25
Created
2019-09-06
Description
This module exploits an Authenticated user with permission to upload and manage media contents can
upload various files on the server. Application prevents the user from
uploading PHP code by checking the file extension. It uses black-list based
approach, as seen in octobercms/vendor/october/rain/src/Filesystem/
Definitions.php:blockedExtensions().
This module was tested on October CMS version v1.0.412 on Ubuntu.
upload various files on the server. Application prevents the user from
uploading PHP code by checking the file extension. It uses black-list based
approach, as seen in octobercms/vendor/october/rain/src/Filesystem/
Definitions.php:blockedExtensions().
This module was tested on October CMS version v1.0.412 on Ubuntu.
Authors
Anti Räis
Touhid M.Shaikh touhidshaikh22@gmail.com
SecureLayer7.net
Touhid M.Shaikh touhidshaikh22@gmail.com
SecureLayer7.net
Platform
PHP
Architectures
php
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.