A Zoomla system vulnerability causes Server Control

Source: Internet
Author: User

A Zoomla system vulnerability causes Server Control

A Zoomla system vulnerability causes the server to be controllable (You have logged on to Zoomla's email address and the official old forum administrator account)

A series of problems caused by the Upload Vulnerability. wooyun has the vulnerability description.

Through the http://www.njzxw.cn/Plugins/swfFileUpload/UploadHandler.ashx can construct the upload form to submit aspx horse to the server, the principle can refer to: WooYun: Lang cms 2.4 Arbitrary File Upload somewhere (do not need to log on)

By checking that the app has a high permission, you can control dozens of websites mounted to the server and find that one of the bbs.zoomla.cn official forums is also on this server, and configure the company email account password:
 

You can log on to mail.hx008.com and mail.zoomla.cn's official account: web, which is the official email address of chinamanet and chinamanet respectively:

After checking, the bbs.zoomla.cn forum has been transferred to http://club.zoomla.cn/, but should I change the account password? View more than bbs accounts:

Use the account password of the bbs system to successfully log on to a management account of the club:

 


The website is a Zoomla CMS system, and the server should also belong to the Chinese Internet under the company

Solution:

Each website updates the latest CMS system.

The server sets the permission levels for each website. The website configuration permission can only be used to view the website files.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.