← Advisories

Croogo 2.0.0 Arbitrary PHP Code Execution Exploit

High
Advisory ID
ZSL-2014-5202
Release Date
12 October 2014
Vendor
Fahad Ibnay Heylaal - http://www.croogo.org
Affected Version
2.0.0
CVE
N/A
Tested On
Apache/2.4.7 (Win32), PHP/5.5.6, MySQL 5.6.14
Summary

Croogo is a free, open source, content management system for PHP, released under The MIT License. It is powered by CakePHP MVC framework.

Description

Croogo suffers from an authenticated arbitrary PHP code execution. The vulnerability is caused due to the improper verification of uploaded files in '/admin/file_manager/attachments/add' script thru the 'data[Attachment][file]' POST parameter and in '/admin/file_manager/file_manager/upload' script thru the 'data[FileManager][file]' POST parameter. This can be exploited to execute arbitrary PHP code by uploading a malicious PHP script file that will be stored in '/webroot/uploads/' directory.

Proof of Concept
croogo_rce.pyTXT
Disclosure Timeline
26.07.2014Vulnerability discovered.
27.07.2014Vendor contacted.
27.07.2014Vendor responds asking more details.
27.07.2014Sent details to the vendor.
28.07.2014Vendor confirms the issues promising patch.
04.08.2014Working with the vendor.
07.08.2014Fix developed.
02.09.2014Vendor releases version 2.1.0 to address these issues.
12.10.2014Coordinated public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]http://blog.croogo.org/blog/croogo-210-released
[2]http://www.exploit-db.com/exploits/34958/
[3]http://osvdb.org/show/osvdb/113108
[4]http://osvdb.org/show/osvdb/113112
[5]http://packetstormsecurity.com/files/128640
[6]http://cxsecurity.com/issue/WLB-2014100075
[7]http://www.securityfocus.com/bid/70411
[8]http://xforce.iss.net/xforce/xfdb/96990
Changelog
12.10.2014Initial release
14.10.2014Added reference [2], [3], [4], [5], [6] and [7]
20.10.2014Added reference [8]