← Advisories

Microweber v1.0.3 File Upload Filter Bypass Remote PHP Code Execution

High
Advisory ID
ZSL-2015-5250
Release Date
04 August 2015
Vendor
Microweber Team - http://www.microweber.com
Affected Version
1.0.3
CVE
N/A
Tested On
Apache 2.4.10 (Win32), PHP 5.6.3, MySQL 5.6.21
Summary

Microweber is an open source drag and drop PHP/Laravel CMS licensed under Apache License, Version 2.0 which allows you to create your own website, blog or online shop.

Description

Microweber suffers from an authenticated arbitrary command execution vulnerability. The issue is caused due to the improper verification when uploading files in '/src/Microweber/functions/plupload.php' script. This can be exploited to execute arbitrary PHP code by bypassing the extension restriction by putting the dot character at the end of the filename and uploading a malicious PHP script file that will be stored in '/userfiles/media/localhost/uploaded' directory.

Proof of Concept
microweber_upload.txtTXT
Disclosure Timeline
12.07.2015Vulnerability discovered.
12.07.2015Initial contact with the vendor.
13.07.2015Vendor responds asking more details.
13.07.2015Sent details to the vendor.
13.07.2015Vendor replies with confirmation of the issue developing fixed version 1.0.4.
04.08.2015Vendor releases official new version (1.0.4).
04.08.2015Coordinated public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]https://github.com/microweber/microweber/blob/master/CHANGELOG.md
[2]https://microweber.com/list-of-contributors
[3]http://cxsecurity.com/issue/WLB-2015080029
[4]https://www.exploit-db.com/exploits/37735/
[5]https://packetstormsecurity.com/files/132970
[6]https://exchange.xforce.ibmcloud.com/vulnerabilities/105422
Changelog
04.08.2015Initial release
09.08.2015Added reference [4] and [5]
13.08.2015Added reference [6]