Multiple vulnerabilities in SDCMS

Published: 2019-03-11 09:40:52 | Updated: 2019-03-11
Severity Medium
Patch available NO
Number of vulnerabilities 2
CVE ID CVE-2019-9652
CVE-2019-9651
CVSSv3 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C]
6.8 [CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C]
CWE ID CWE-352
CWE-434
Exploitation vector Network
Public exploit Public exploit code for vulnerability #1 is available.
Public exploit code for vulnerability #2 is available.
Vulnerable software SDCMS
Vulnerable software versions SDCMS 1.7
Vendor URL SDCMS

Security Advisory

1) Cross-site request forgery

Description

The vulnerability allows a remote attacker to perform cross-site request forgery attacks.

The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim to visit a specially crafted web page and execute arbitrary PHP code on behalf of the victim on the vulnerable website by providing a filename via the "file" parameter and file content via the "t2" parameter.

Remediation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

External links

http://www.iwantacve.cn/index.php/archives/156/

2) Dangerous file upload

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to the application does not perform a case sensitive validation of the file extension before allowing file upload within the check_bad() function in appadmincontroller hemecontroller.php file. A remote authenticated attacker can upload a PHP file to the system that contains system() PHP call and file extension ".PHP".

Remediation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

External links

http://www.iwantacve.cn/index.php/archives/155/