Blue River Mura CMS before v7.0.7029 supports inline function calls with an [m] tag and [/m] end tag, without proper restrictions on file types or pathnames, which allows remote attackers to execute arbitrary code via an [m]$.dspinclude("../pathname/executable.jpeg")[/m] approach, where executable.jpeg contains ColdFusion Markup Language code. This can be exploited in conjunction with a CKFinder feature that allows file upload.
Vector
NETWORK
Complexity
LOW
Authentication
SINGLE_INSTANCE
Confidentiality
PARTIAL
Integrity
PARTIAL
Availability
PARTIAL
Blueriver Muracms 5.5 (not an official CPE)
Blueriver Muracms 6.1.6029 (not an official CPE)
Blueriver Muracms 6.2.6161 (not an official CPE)
Blueriver Muracms 6.2.6527 (not an official CPE)
Blueriver Muracms 7.0.6919 (not an official CPE)
Blueriver Muracms 7.0.6930 (not an official CPE)
Blueriver Muracms 7.0.6967 (not an official CPE)
| Advisory | Patch | Confirmed | Link |
|---|---|---|---|
| http://bekhzod0725.github.io/cybersecurity/2018/02/16/ex... |
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (ID 22)
Related CAPEC 7
Relative Path Traversal (CAPEC-ID 139)
Directory Traversal (CAPEC-ID 213)
File System Function Injection, Content Based (CAPEC-ID 23)
Using Slashes and URL Encoding Combined to Bypass Validation Logic (CAPEC-ID 64)
Manipulating Input to File System Calls (CAPEC-ID 76)
Using Escaped Slashes in Alternate Encoding (CAPEC-ID 78)
Using Slashes in Alternate Encoding (CAPEC-ID 79)