SB2018112502 - Multiple vulnerabilities in SDCMS
Published: November 25, 2018 Updated: August 8, 2020
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Path traversal (CVE-ID: CVE-2018-19748)
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
app/plug/attachment/controller/admincontroller.php in SDCMS 1.6 allows reading arbitrary files via a /?m=plug&c=admin&a=index&p=attachment&root= directory traversal. The value of the root parameter must be base64 encoded (note that base64 encoding, instead of URL encoding, is very rare in a directory traversal attack vector).
2) Code Injection (CVE-ID: CVE-2018-19520)
The vulnerability allows a remote authenticated user to execute arbitrary code.
An issue was discovered in SDCMS 1.6 with PHP 5.x. app/admin/controller/themecontroller.php uses a check_bad function in an attempt to block certain PHP functions such as eval, but does not prevent use of preg_replace 'e' calls, allowing users to execute arbitrary code by leveraging access to admin template management.
Remediation
Install update from vendor's website.
References
- https://blog.whiterabbitxyj.com/cve/SDCMS_1.6_directory_traversal.doc
- https://github.com/WhiteRabbitc/WhiteRabbitc.github.io/blob/master/cve/SDCMS_1.6_directory_traversal.doc
- https://blog.whiterabbitxyj.com/cve/SDCMS_1.6_code_execution.doc
- https://github.com/WhiteRabbitc/WhiteRabbitc.github.io/blob/master/cve/SDCMS_1.6_code_execution.doc