CMSLogik 1.2.1 (upload_file_ajax()) Shell Upload Exploit
Title: CMSLogik 1.2.1 (upload_file_ajax()) Shell Upload Exploit
Advisory ID: ZSL-2013-5138
Type: Local/Remote
Impact: System Access
Risk: (4/5)
Release Date: 14.04.2013
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
[05.04.2013] Contact with the vendor.
[05.04.2013] Vendor replies asking more details.
[05.04.2013] Sent detailed information to the vendor.
[08.04.2013] Vendor confirms the issues promising patch.
[14.04.2013] Vendor fixes the vulnerability.
[14.04.2013] Coordinated public security advisory released.
[2] http://www.exploit-db.com/exploits/24959/
[3] http://packetstormsecurity.com/files/121305
[4] http://osvdb.org/show/osvdb/92320
[15.04.2013] - Added reference [1] and [2]
[16.04.2013] - Added reference [3] and [4]
Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2013-5138
Type: Local/Remote
Impact: System Access
Risk: (4/5)
Release Date: 14.04.2013
Summary
CMSLogik is built on a solid & lightweight framework called CodeIgniter, and design powered by Bootstrap. This combination allows for greater security, extensive flexibility, and ease of use. You can use CMSLogik for almost any niche that your project might fall into.Description
The vulnerability is caused due to the improper verification of uploaded files in '/application/controllers/support.php' script thru the 'upload_file_ajax()' function. This can be exploited to execute arbitrary PHP code by uploading a malicious PHP script file with multiple extensions in the '/support_files' directory. Normal user [level 113] authentication required.--------------------------------------------------------------------------------
/application/controllers/support.php:
-------------------------
143: public function upload_file_ajax()
144: {
145: $allowedExtensions = array('jpeg', 'jpg', 'gif', 'png', 'html', 'php', 'js', 'doc', 'docx', 'pdf', 'ppt', 'pps', 'pptx', 'ppsx');
146: $sizeLimit = 10 * 1024;
147: $params = array('extensions' => $allowedExtensions, 'size' => $sizeLimit);
148: $this->load->library('qqfileuploader', $params);
149:
150: $result = $this->qqfileuploader->handleUpload('./support_files');
151:
152: echo htmlspecialchars(json_encode($result), ENT_NOQUOTES);
153: }
--------------------------------------------------------------------------------
Vendor
ThemeLogik - http://www.themelogik.com/cmslogikAffected Version
1.2.1 and 1.2.0Tested On
Router WebserverVendor Status
[05.04.2013] Vulnerability discovered.[05.04.2013] Contact with the vendor.
[05.04.2013] Vendor replies asking more details.
[05.04.2013] Sent detailed information to the vendor.
[08.04.2013] Vendor confirms the issues promising patch.
[14.04.2013] Vendor fixes the vulnerability.
[14.04.2013] Coordinated public security advisory released.
PoC
cmslogik_shell.pyCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] http://cxsecurity.com/issue/WLB-2013040106[2] http://www.exploit-db.com/exploits/24959/
[3] http://packetstormsecurity.com/files/121305
[4] http://osvdb.org/show/osvdb/92320
Changelog
[14.04.2013] - Initial release[15.04.2013] - Added reference [1] and [2]
[16.04.2013] - Added reference [3] and [4]
Contact
Zero Science LabWeb: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
