← Advisories

Zenario CMS 7.0.7c Remote Code Execution Vulnerability

Medium
Advisory ID
ZSL-2015-5280
Release Date
17 November 2015
Vendor
Tribal Ltd. - http://www.zenar.io
Affected Version
<= 7.0.7c and 7.1.0 (svn)
CVE
N/A
Tested On
Ubuntu 14.04 LTS, PHP 5.5.9-1ubuntu4.1, Zend Engine v2.5.0, Zend OPcache v7.0.3
Summary

Zenario is a web-based content management system for sites with one or many languages. It's designed to grow with your site, adding extranet, online database and custom functionality when you need it.

Description

The vulnerability is caused due to the improper verification of uploaded files via the Document upload script using 'Filedata' POST parameter which allows of arbitrary files being uploaded in '/public/downloads' following a publicaly generated link for access where the admin first needs to add the file extension in the allowed list. This can be exploited to execute arbitrary PHP code by uploading a malicious PHP script file and execute system commands.

Proof of Concept
zenario_rce.txtTXT
Disclosure Timeline
27.10.2015Vulnerability discovered.
28.10.2015Vendor contacted.
28.10.2015Vendor responds asking more details.
29.10.2015Sent details to the vendor.
30.10.2015Vendor is looking into the issue.
01.11.2015Working with the vendor.
15.11.2015Asked vendor for status update.
16.11.2015Vendor releases version 7.0.7d to address this issue.
17.11.2015Public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]http://zenar.io/zenario-707d
[2]https://packetstormsecurity.com/files/134421
[3]https://cxsecurity.com/issue/WLB-2015110162
[4]https://exchange.xforce.ibmcloud.com/vulnerabilities/108136
Changelog
17.11.2015Initial release
18.11.2015Added reference [2] and [3]
19.11.2015Added reference [4]