← Advisories

AdaptCMS 3.0.3 Remote Command Execution Exploit

High
Advisory ID
ZSL-2015-5220
Release Date
05 January 2015
Vendor
Insane Visions - http://www.adaptcms.com
Affected Version
3.0.3
CVE
CVE-2015-1059
Tested On
Apache 2.4.10 (Win32), PHP 5.6.3, MySQL 5.6.21
Summary

AdaptCMS is a Content Management System trying to be both simple and easy to use, as well as very agile and extendable. Not only so we can easily create Plugins or additions, but so other developers can get involved. Using CakePHP we are able to achieve this with a built-in plugin system and MVC setup, allowing us to focus on the details and end-users to focus on building their website to look and feel great.

Description

AdaptCMS suffers from an authenticated arbitrary command execution vulnerability. The issue is caused due to the improper verification of uploaded files. This can be exploited to execute arbitrary PHP code by creating or uploading a malicious PHP script file that will be stored in '\app\webroot\uploads' directory.

Proof of Concept
adaptcms_rce.pyTXT
Disclosure Timeline
N/A
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]http://packetstormsecurity.com/files/129814
[2]http://cxsecurity.com/issue/WLB-2015010023
[3]http://osvdb.org/show/osvdb/116722
[4]http://1337day.com/exploit/23074
[5]http://en.hackdig.com/?12505.htm
[6]http://xforce.iss.net/xforce/xfdb/99616
[7]http://www.exploit-db.com/exploits/35710/
[8]http://www.vfocus.net/art/20150106/11919.html
[9]http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1059
[10]http://cve.mitre.org/cgi-bin/cvename.cgi?name=2015-1059
[11]http://www.securityfocus.com/bid/71872
Changelog
05.01.2015Initial release
06.01.2015Added reference [1], [2], [3], [4], [5], [6] and [7]
07.01.2015Added reference [8]
17.01.2015Added reference [9] and [10]
23.01.2015Added reference [11]