JobScript Open Redirection And Arbitrary Code Execution Vulnerability

Title: JobScript Open Redirection And Arbitrary Code Execution Vulnerability
Advisory ID: ZSL-2016-5322
Type: Local/Remote
Impact: Spoofing, System Access
Risk: (3/5)
Release Date: 22.05.2016
Summary
JobScript is inbuilt structured website was developed in PHP and MySQL database. It's a complete job script for those who wants to start a professional job portal website like naukri.com, monster.com, clickjobs.com or any such major job portals. Jobscript was designed and developed with the following features like control panel for Employer's and also for Job Seeker's, email alerts, job search, online resume, payment and membership plans.
Description
JobScript suffers from an authenticated arbitrary PHP code execution. The vulnerability is caused due to the improper verification of uploaded files in '/admin-ajax.php' script thru the 'name' and 'file' POST parameters. This can be exploited to execute arbitrary PHP code by uploading a malicious PHP script file with '.php' extension (to bypass the '.htaccess' block rule) that will be stored in '/jobmonster/wp-content/uploads/jobmonster/' directory. Input passed via the 'redirect_to' POST parameter in '/jobmoster/wp-admin/admin-ajax.php' is not properly verified before being used to redirect users. This can be exploited to redirect a user to an arbitrary website e.g. when a user clicks a specially crafted link to the affected script hosted on a trusted domain.
Vendor
JobScript - http://www.jobscript.in
Affected Version
N/A
Tested On
Apache 2.4.9
PHP 5.4.26
Vendor Status
[31.03.2016] Vulnerability discovered.
[31.03.2016] Contact with the vendor.
[01.04.2016] Follow up with vendor over a chat.
[21.05.2016] No response from the vendor.
[22.05.2016] Public security advisory released.
PoC
jobscript_rce.py
jobscript_mv.txt
Credits
Vulnerability discovered by Bikramaditya Guha - <bik@zeroscience.mk>
References
[1] https://cxsecurity.com/issue/WLB-2016050103
[2] https://cxsecurity.com/issue/WLB-2016050102
[3] https://packetstormsecurity.com/files/137147
[4] https://packetstormsecurity.com/files/137148
[5] https://www.exploit-db.com/exploits/39848/
[6] https://exchange.xforce.ibmcloud.com/vulnerabilities/113401
[7] https://exchange.xforce.ibmcloud.com/vulnerabilities/113403
Changelog
[22.05.2016] - Initial release
[23.05.2016] - Added reference [1], [2], [3], [4] and [5]
[25.05.2016] - Added reference [6]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk