Lunar CMS 3.3 Unauthenticated Remote Command Execution Exploit

Title: Lunar CMS 3.3 Unauthenticated Remote Command Execution Exploit
Advisory ID: ZSL-2014-5189
Type: Local/Remote
Impact: System Access
Risk: (4/5)
Release Date: 21.06.2014
Summary
Lunar CMS is a freely distributable open source content management system written for use on servers running the ever so popular PHP5 & MySQL.
Description
Lunar CMS suffers from an unauthenticated arbitrary command execution vulnerability. The issue is caused due to the improper verification of elfinder's upload/create/rename function in the file manager. This can be exploited to execute arbitrary PHP code by creating or uploading a malicious PHP script file that will be stored in '/files' directory.
Vendor
Lunar CMS - http://www.lunarcms.com
Affected Version
3.3
Tested On
Apache/2.4.7 (Win32)
PHP/5.5.6
MySQL 5.6.14
Vendor Status
[11.06.2014] Vulnerabilities discovered.
[12.06.2014] Vendor contacted.
[12.06.2014] Vendor replies asking more details.
[12.06.2014] Sent details to the vendor.
[12.06.2014] Vendor confirms the vulnerabilities.
[13.06.2014] Working with the vendor.
[19.06.2014] Vendor releases fixed version 3.3-3 to address these issues.
[21.06.2014] Coordinated public security advisory released.
PoC
lunarcms_rce.py
lunarcms_rce2.html
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] http://lunarcms.com/Get.html
[2] http://osvdb.org/show/osvdb/108307
[3] http://cxsecurity.com/issue/WLB-2014060123
[4] http://packetstormsecurity.com/files/127189
[5] http://www.securityfocus.com/bid/68154
[6] http://www.exploit-db.com/exploits/33867/
[7] http://1337day.com/exploit/22377
[8] http://www.vfocus.net/art/20140624/11594.html
[9] http://xforce.iss.net/xforce/xfdb/94004
Changelog
[21.06.2014] - Initial release
[24.06.2014] - Added reference [2], [3], [4] and [5]
[26.06.2014] - Added reference [6]
[28.06.2014] - Added reference [7] and [8]
[05.07.2014] - Added reference [9]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk