← Advisories

Lunar CMS 3.3 Unauthenticated Remote Command Execution Exploit

High
Advisory ID
ZSL-2014-5189
Release Date
21 June 2014
Vendor
Lunar CMS - http://www.lunarcms.com
Affected Version
3.3
CVE
N/A
Tested On
Apache/2.4.7 (Win32), PHP/5.5.6, MySQL 5.6.14
Summary

Lunar CMS is a freely distributable open source content management system written for use on servers running the ever so popular PHP5 & MySQL.

Description

Lunar CMS suffers from an unauthenticated arbitrary command execution vulnerability. The issue is caused due to the improper verification of elfinder's upload/create/rename function in the file manager. This can be exploited to execute arbitrary PHP code by creating or uploading a malicious PHP script file that will be stored in '/files' directory.

Proof of Concept
lunarcms_rce.pyTXT
lunarcms_rce2.htmlHTML
Disclosure Timeline
11.06.2014Vulnerabilities discovered.
12.06.2014Vendor contacted.
12.06.2014Vendor replies asking more details.
12.06.2014Sent details to the vendor.
12.06.2014Vendor confirms the vulnerabilities.
13.06.2014Working with the vendor.
19.06.2014Vendor releases fixed version 3.3-3 to address these issues.
21.06.2014Coordinated public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]http://lunarcms.com/Get.html
[2]http://osvdb.org/show/osvdb/108307
[3]http://cxsecurity.com/issue/WLB-2014060123
[4]http://packetstormsecurity.com/files/127189
[5]http://www.securityfocus.com/bid/68154
[6]http://www.exploit-db.com/exploits/33867/
[7]http://1337day.com/exploit/22377
[8]http://www.vfocus.net/art/20140624/11594.html
[9]http://xforce.iss.net/xforce/xfdb/94004
Changelog
21.06.2014Initial release
24.06.2014Added reference [2], [3], [4] and [5]
26.06.2014Added reference [6]
28.06.2014Added reference [7] and [8]
05.07.2014Added reference [9]