← Advisories

ImpressPages CMS v3.6 manage() Function Remote Code Execution Exploit

High

Advisory ID

ZSL-2013-5159

Release Date

01 November 2013

Vendor

ImpressPages UAB - http://www.impresspages.org

Affected Version

3.6, 3.5 and 3.1

CVE

N/A

Tested On

Microsoft Windows 7 Ultimate SP1 (EN), GNU/Linux CentOS 6.3 (Final), Apache 2.4.2 (Win32) / Apache2, PHP 5.4.7 / PHP 5.3.21, MySQL 5.5.25a

Summary

ImpressPages CMS is an open source web content management system with revolutionary drag & drop interface.

Description

The vulnerability is caused due to the improper verification of uploaded files in '/ip_cms/modules/developer/config_exp_imp/manager.php' script thru the 'manage()' function (@line 65) when importing a configuration file. This can be exploited to execute arbitrary PHP code by uploading a malicious PHP script file that will be stored in '/file/tmp' directory after successful injection. Permission Developer[Modules exp/imp] is required (parameter 'i_n_2[361]' = on) for successful exploitation.

Proof of Concept

impress_rce.pyTXT

Disclosure Timeline

12.10.2013Vulnerability discovered.

20.10.2013Contact with the vendor.

20.10.2013Vendor responds asking more details.

22.10.2013Sent details to the vendor.

22.10.2013Vendor working on reported issue.

22.10.2013Asked vendor for estimated timeframe for developing patch.

24.10.2013Vendor confirms the issue promising fix.

29.10.2013Vendor releases version 3.7 to address this issue.

01.11.2013Coordinated public security advisory released.