← Advisories

SkaDate Lite 2.0 Remote Code Execution Exploit

High
Advisory ID
ZSL-2014-5198
Release Date
30 July 2014
Vendor
Skalfa LLC - http://lite.skadate.com
Affected Version
2.0 (build 7651) [Platform version: 1.7.0 (build 7906)]
CVE
N/A
Tested On
CentOS Linux 6.5 (Final), nginx/1.6.0, PHP/5.3.28, MySQL 5.5.37
Summary

SkaDate Lite is a new platform that makes it easy to start online dating business in just a few easy steps. No programming or design knowledge is required. Install the solution, pick a template, and start driving traffic to your new online dating site.

Description

SkaDate Lite suffers from an authenticated arbitrary PHP code execution. The vulnerability is caused due to the improper verification of uploaded files in '/admin/settings/user' script thru the 'avatar' and 'bigAvatar' POST parameters. This can be exploited to execute arbitrary PHP code by uploading a malicious PHP script file with '.php5' extension (to bypass the '.htaccess' block rule) that will be stored in '/ow_userfiles/plugins/base/avatars/' directory.

Proof of Concept
skadatelite_rce.pyTXT
Disclosure Timeline
23.07.2014Vulnerability discovered.
28.07.2014Vendor contacted.
28.07.2014Vendor responds asking more details.
28.07.2014Sent details to the vendor.
29.07.2014Vendor will fix the issues in the next release.
30.07.2014Public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]https://www.zeroscience.mk/#/advisories/ZSL-2014-5196
[2]http://www.exploit-db.com/exploits/34205/
[3]http://osvdb.org/show/osvdb/109690
[4]http://packetstormsecurity.com/files/127691
[5]http://sebug.net/vuldb/ssvid-87168
[6]http://cxsecurity.com/issue/WLB-2014070182
[7]http://xforce.iss.net/xforce/xfdb/95056
Changelog
30.07.2014Initial release
05.10.2014Added reference [3], [4], [5] and [6]
20.10.2014Added reference [7]