Oxwall 1.7.0 Remote Code Execution Exploit
Title: Oxwall 1.7.0 Remote Code Execution Exploit
Advisory ID: ZSL-2014-5196
Type: Local/Remote
Impact: System Access
Risk: (4/5)
Release Date: 28.07.2014
Apache/2.2.22 (Debian)
PHP 5.4.4-13(apache2handler)
MySQL 5.5.28
[18.07.2014] Vendor contacted.
[20.07.2014] No reply from the vendor.
[21.07.2014] Vendor contacted again.
[23.07.2014] Reminded vendor on twitter to check their e-mails.
[23.07.2014] No reply from the vendor whatsoever.
[23.07.2014] Created a forum account and contacted the vendor there.
[24.07.2014] Vendor responds on the forum post asking more details.
[24.07.2014] Informed the vendor to conference via e-mail.
[25.07.2014] Vendor responds on the e-mails sent previously, asking more details.
[25.07.2014] Sent detailed information to the vendor.
[27.07.2014] Asked vendor for status update.
[27.07.2014] No reply from the vendor.
[28.07.2014] Public security advisory released.
[2] http://packetstormsecurity.com/files/127653
[3] http://cxsecurity.com/issue/WLB-2014070156
[4] http://osvdb.org/show/osvdb/109626
[5] http://www.securityfocus.com/bid/68937
[6] http://sebug.net/vuldb/ssvid-87163
[7] http://xforce.iss.net/xforce/xfdb/94914
[29.07.2014] - Added reference [1], [2], [3] and [4]
[30.07.2014] - Added reference [5] and [6]
[20.10.2014] - Added reference [7]
Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2014-5196
Type: Local/Remote
Impact: System Access
Risk: (4/5)
Release Date: 28.07.2014
Summary
Oxwall is unbelievably flexible and easy to use PHP/MySQL social networking software platform.Description
Oxwall suffers from an authenticated arbitrary PHP code execution. The vulnerability is caused due to the improper verification of uploaded files in '/admin/settings/user' script thru the 'avatar' and 'bigAvatar' POST parameters. This can be exploited to execute arbitrary PHP code by uploading a malicious PHP script file with '.php5' extension (to bypass the '.htaccess' block rule) that will be stored in '/ow_userfiles/plugins/base/avatars/' directory.Vendor
Oxwall Software Foundation - http://www.oxwall.orgAffected Version
1.7.0 (build 7907 and 7906)Tested On
Kali Linux 3.7-trunk-686-paeApache/2.2.22 (Debian)
PHP 5.4.4-13(apache2handler)
MySQL 5.5.28
Vendor Status
[18.07.2014] Vulnerabilities discovered.[18.07.2014] Vendor contacted.
[20.07.2014] No reply from the vendor.
[21.07.2014] Vendor contacted again.
[23.07.2014] Reminded vendor on twitter to check their e-mails.
[23.07.2014] No reply from the vendor whatsoever.
[23.07.2014] Created a forum account and contacted the vendor there.
[24.07.2014] Vendor responds on the forum post asking more details.
[24.07.2014] Informed the vendor to conference via e-mail.
[25.07.2014] Vendor responds on the e-mails sent previously, asking more details.
[25.07.2014] Sent detailed information to the vendor.
[27.07.2014] Asked vendor for status update.
[27.07.2014] No reply from the vendor.
[28.07.2014] Public security advisory released.
PoC
oxwall_rce.pyCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] http://www.exploit-db.com/exploits/34191/[2] http://packetstormsecurity.com/files/127653
[3] http://cxsecurity.com/issue/WLB-2014070156
[4] http://osvdb.org/show/osvdb/109626
[5] http://www.securityfocus.com/bid/68937
[6] http://sebug.net/vuldb/ssvid-87163
[7] http://xforce.iss.net/xforce/xfdb/94914
Changelog
[28.07.2014] - Initial release[29.07.2014] - Added reference [1], [2], [3] and [4]
[30.07.2014] - Added reference [5] and [6]
[20.10.2014] - Added reference [7]
Contact
Zero Science LabWeb: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
