ImpressPages CMS v3.6 manage() Function Remote Code Execution Exploit

Title: ImpressPages CMS v3.6 manage() Function Remote Code Execution Exploit
Advisory ID: ZSL-2013-5159
Type: Local/Remote
Impact: System Access
Risk: (4/5)
Release Date: 01.11.2013
Summary
ImpressPages CMS is an open source web content management system with revolutionary drag & drop interface.
Description
The vulnerability is caused due to the improper verification of uploaded files in '/ip_cms/modules/developer/config_exp_imp/manager.php' script thru the 'manage()' function (@line 65) when importing a configuration file. This can be exploited to execute arbitrary PHP code by uploading a malicious PHP script file that will be stored in '/file/tmp' directory after successful injection. Permission Developer[Modules exp/imp] is required (parameter 'i_n_2[361]' = on) for successful exploitation.
Vendor
ImpressPages UAB - http://www.impresspages.org
Affected Version
3.6, 3.5 and 3.1
Tested On
Microsoft Windows 7 Ultimate SP1 (EN)
GNU/Linux CentOS 6.3 (Final)
Apache 2.4.2 (Win32) / Apache2
PHP 5.4.7 / PHP 5.3.21
MySQL 5.5.25a
Vendor Status
[12.10.2013] Vulnerability discovered.
[20.10.2013] Contact with the vendor.
[20.10.2013] Vendor responds asking more details.
[22.10.2013] Sent details to the vendor.
[22.10.2013] Vendor working on reported issue.
[22.10.2013] Asked vendor for estimated timeframe for developing patch.
[24.10.2013] Vendor confirms the issue promising fix.
[29.10.2013] Vendor releases version 3.7 to address this issue.
[01.11.2013] Coordinated public security advisory released.
PoC
impress_rce.py
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] http://www.impresspages.org/blog/impresspages-cms-3-7-is-mobile-as-never-before/
[2] http://cxsecurity.com/issue/WLB-2013110003
[3] http://www.exploit-db.com/exploits/29331/
[4] http://www.osvdb.org/show/osvdb/99274
[5] http://packetstormsecurity.com/files/123879
[6] http://secunia.com/advisories/55505
[7] http://1337day.com/exploit/21456
[8] http://www.securityfocus.com/bid/63507
Changelog
[01.11.2013] - Initial release
[03.11.2013] - Added reference [3]
[04.11.2013] - Added reference [4], [5], [6] and [7]
[05.11.2013] - Added reference [8]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk