Advertisement






shopify.com unrestricted file upload Vulnerability

CVE Category Price Severity
CVE-2021-20033 CWE-434 Not specified Critical
Author Risk Exploitation Type Date
Not specified High Remote 2018-02-05
CVSS EPSS EPSSP
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H 0.02192 0.50148

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2018020070

Below is a copy:

shopify.com unrestricted file upload Vulnerability
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
| # Title    : shopify.com unrestricted file upload Vulnerability
| # Author   : indoushka
| # email    : [email protected]
| # Dork     : Powered by Shopify
| # Tested on: windows 8.1 Franais V.(Pro)
========================================================================

poc :

craet a new free acount

After access to the Control Panel

ex: https://yourname.myshopify.com/admin/auth/login

Go to section Add product

ex: https://yourname.myshopify.com/admin/products/

Add a new product with attaching images (insert image)

Choose a different file extension

Find the files here

poc :

http://cdn.shopify.com/s/files/1/0912/8298/files/test.htm
http://cdn.shopify.com/s/files/1/0912/8298/files/ahmad.mp3
http://cdn.shopify.com/s/files/1/0912/8298/files/index.htm
http://cdn.shopify.com/s/files/1/0912/8298/files/ahmad.php
http://cdn.shopify.com/s/files/1/0912/8298/files/index_7082b8ce-7bd2-40e8-ac57-1da130812fbf.htm
http://cdn.shopify.com/s/files/1/0912/8298/files/.htaccsess


Greetz :----------------------------------------------------------------------------------------
                                                                                               |
jericho * Larry W. Cashdollar * shadow0075 * djroot.dz *Gjoko 'LiquidWorm' Krstic              |
                                                                                               |
================================================================================================

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.