← Advisories

ImpressPages CMS v3.6 Remote Arbitrary File Deletion Vulnerability

Medium
Advisory ID
ZSL-2013-5158
Release Date
31 October 2013
Vendor
ImpressPages UAB - http://www.impresspages.org
Affected Version
3.6
CVE
N/A
Tested On
Microsoft Windows 7 Ultimate SP1 (EN), Apache 2.4.2 (Win32), PHP 5.4.7, MySQL 5.5.25a
Summary

ImpressPages CMS is an open source web content management system with revolutionary drag & drop interface.

Description

Input passed to the 'files[0][file]' parameter in '/ip_cms/modules/administrator/repository/controller.php' is not properly sanitised before being used to delete files. This can be exploited to delete files with the permissions of the web server via directory traversal sequences passed within the affected POST parameter.

Proof of Concept
impresspages_del.txtTXT
Disclosure Timeline
12.10.2013Vulnerability discovered.
20.10.2013Contact with the vendor.
20.10.2013Vendor responds asking more details.
22.10.2013Sent details to the vendor.
22.10.2013Vendor working on reported issue.
22.10.2013Asked vendor for estimated timeframe for developing patch.
24.10.2013Vendor confirms the issue promising fix.
29.10.2013Vendor releases version 3.7 to address this issue.
31.10.2013Coordinated public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]http://www.impresspages.org/blog/impresspages-cms-3-7-is-mobile-as-never-before/
[2]http://packetstormsecurity.com/files/123872
[3]http://www.osvdb.org/show/osvdb/99222
[4]http://cxsecurity.com/issue/WLB-2013110001
[5]http://www.securityfocus.com/bid/63470
[6]http://www.exploit-db.com/exploits/29328/
[7]http://secunia.com/advisories/55505
Changelog
31.10.2013Initial release
01.11.2013Added reference [2], [3], [4] and [5]
03.11.2013Added reference [6]
04.11.2013Added reference [7]