ClipBucket < 4.0.0 - Release 4902 - Command Injection / File Upload / SQL Injection


#1

If you are interested in knowing the security issues and how you can check your own site for vulnerabilities read here: https://www.exploit-db.com/exploits/44250/?rss

From exploit-db.com:

Business recommendation:

By exploiting the vulnerabilities documented in this advisory, an attacker can
fully compromise the web server which has ClipBucket installed. Potentially
sensitive data might get exposed through this attack.

Users are advised to immediately install the patched version provided by the
vendor.

Vulnerability overview/description:

  1. Unauthenticated OS Command Injection
    Any OS commands can be injected by an unauthenticated attacker. This is a serious
    vulnerability as the chances for the system to be fully compromised is very
    high. This same vulnerability can also be exploited by authenticated attackers
    with normal user privileges.

  2. Unauthenticated Arbitrary File Upload
    A malicious file can be uploaded into the webserver by an unauthenticated
    attacker. It is possible for an attacker to upload a script to issue operating
    system commands. This same vulnerability can also be exploited by an
    authenticated attacker with normal user privileges.

  3. Unauthenticated Blind SQL Injection
    The identified SQL injection vulnerabilities enable an attacker to execute
    arbitrary SQL commands on the underlying MySQL server.