From this webpage screenshot, the following key information about the vulnerability can be obtained: 1. **Vulnerability Description**: - **Product**: C-MOR Video Surveillance - **Manufacturer**: za-internet GmbH - **Affected Version**: 5.2401 - **Tested Version**: 5.2401 - **Vulnerability Type**: Unrestricted File Upload (CWE-434) - **Risk Level**: High - **Solution Status**: Fixed - **Manufacturer Notification Date**: 2024-04-05 - **Public Disclosure Date**: 2024-09-04 - **CVE Reference**: CVE-2024-45171 - **Authors**: Chris Beiter, Frederik Beimgraben, and Matthias Deeg 2. **Vulnerability Details**: - Analysis of C-MOR’s web interface revealed that the backup file upload functionality allows authenticated users to upload arbitrary files. The only requirement is that the filename must contain the string ".cbkf". - Therefore, "webshell.cbkf.php" is considered a valid filename for the C-MOR web application. - Uploaded files are stored in the "/srv/www/backups" directory and can be accessed via URL: `https:///backup/upload_`. - Due to flawed access control, low-privileged authenticated users can also exploit this file upload functionality (see SYSS-2024-024). 3. **PoC (Proof of Concept)**: - By exploiting the backup file upload feature, any PHP code can be uploaded, such as a simple PHP web shell named `webshell.cbkf.php`. - After successful upload, the uploaded PHP web shell can be accessed and executed via the following URL, leading to OS command execution: `https:///backup/upload_webshell.cbkf.php?cmd=` 4. **Solution**: - Install C-MOR Video Surveillance version 6.00PL1. 5. **Disclosure Timeline**: - 2024-04-05: Vulnerability reported to the manufacturer - 2024-04-05: Manufacturer acknowledged receipt of the security advisory - 2024-04-08: Communication regarding security update and disclosure timeline - 2024-05-08: Further communication on security update and disclosure timeline; public release of all security advisories - 2024-05-10: Release of C-MOR software version 5.30, including fixes for some reported security issues - 2024-07-19: Email regarding the release date of C-MOR Video Surveillance version 6; planned release date: 2024-08-01 - 2024-07-30: Manufacturer’s email regarding further security fix information - 2024-07-31: Release of C-MOR software version 6.00PL1 - 2024-09-04: Public release of the security advisory 6. **References**: - [Product Website](https://www.c-mor.com/) - [SySS Security Advisory SYSS-2024-026](https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-026.txt) - [SySS Security Advisory SYSS-2024-024](https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-024.txt) - [SySS Responsible Disclosure Policy](https://www.syss.de/en/responsible-disclosure-policy/) 7. **Disclaimer**: - Information is provided "as is" and without any warranty. Details of the security advisory may be updated to provide as accurate information as possible. The latest version of the advisory can be found on the SySS website. 8. **Copyright**: - Creative Commons - Attribution (by) - Version 3.0 - URL: http://creativecommons.org/licenses/by/3.0/deed.en This information provides a detailed description of the unrestricted file upload vulnerability in the C-MOR Video Surveillance system, along with the solution and disclosure timeline.