← Advisories

Oxwall 1.7.0 Remote Code Execution Exploit

High

Advisory ID

ZSL-2014-5196

Release Date

28 July 2014

Vendor

Oxwall Software Foundation - http://www.oxwall.org

Affected Version

1.7.0 (build 7907 and 7906)

CVE

N/A

Tested On

Kali Linux 3.7-trunk-686-pae, Apache/2.2.22 (Debian), PHP 5.4.4-13(apache2handler), MySQL 5.5.28

Summary

Oxwall is unbelievably flexible and easy to use PHP/MySQL social networking software platform.

Description

Oxwall suffers from an authenticated arbitrary PHP code execution. The vulnerability is caused due to the improper verification of uploaded files in '/admin/settings/user' script thru the 'avatar' and 'bigAvatar' POST parameters. This can be exploited to execute arbitrary PHP code by uploading a malicious PHP script file with '.php5' extension (to bypass the '.htaccess' block rule) that will be stored in '/ow_userfiles/plugins/base/avatars/' directory.

Proof of Concept

oxwall_rce.pyTXT

Disclosure Timeline

18.07.2014Vulnerabilities discovered.

18.07.2014Vendor contacted.

20.07.2014No reply from the vendor.

21.07.2014Vendor contacted again.

23.07.2014Reminded vendor on twitter to check their e-mails.

23.07.2014No reply from the vendor whatsoever.

23.07.2014Created a forum account and contacted the vendor there.

24.07.2014Vendor responds on the forum post asking more details.

24.07.2014Informed the vendor to conference via e-mail.