SB2018092307 - Multiple vulnerabilities in ming-soft MCMS

Description

This security bulletin contains information about 3 vulnerabilities.

1) Arbitrary file upload (CVE-ID: CVE-2018-18830)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

An issue was discovered in commingsoftasicactionwebFileAction.java in MCMS 4.6.5. Since the upload interface does not verify the user login status, you can use this interface to upload files without setting a cookie. First, start an upload of JSP code with a .png filename, and then intercept the data packet. In the name parameter, change the suffix to jsp. In the response, the server returns the storage path of the file, which can be accessed to execute arbitrary JSP code.

2) Path traversal (CVE-ID: CVE-2018-18831)

The vulnerability allows a remote non-authenticated attacker to manipulate data.

An issue was discovered in commingsoftcmsactionGeneraterAction.java in MCMS 4.6.5. An attacker can write a .jsp file (in the position parameter) to an arbitrary directory via a ../ Directory Traversal in the url parameter.

3) Cross-site request forgery (CVE-ID: CVE-2018-17366)

The vulnerability allows a remote attacker to perform cross-site request forgery attacks.

The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website, such as add an administrator account via ms/basic/manager/save.do.

Remediation

Cybersecurity Help is not aware of any official remediation provided by the vendor.

References

• https://gitee.com/mingSoft/MCMS/issues/IO0IQ
• https://gitee.com/mingSoft/MCMS/issues/IO0K0
• https://gitee.com/mingSoft/MCMS/issues/IM1DA