← Advisories

iScripts EasyCreate 3.0 Remote Code Execution Exploit

High
Advisory ID
ZSL-2016-5297
Release Date
28 January 2016
Vendor
iScripts.com - http://www.iscripts.com
Affected Version
3.0
CVE
N/A
Tested On
Apache, MySQL 5.5.40
Summary

iScripts EasyCreate is a private label online website builder. This software allows you to start an online business by offering website building services to your customers. Equipped with drag and drop design functionality, crisp templates and social sharing capabilities, this online website builder software will allow you to provide the best website building features to your users.

Description

iScripts EasyCreate suffers from an authenticated arbitrary PHP code execution. The vulnerability is caused due to the improper verification of uploaded files in '/ajax_image_upload.php' script thru the 'userImages' POST parameter. This can be exploited to execute arbitrary PHP code by uploading a malicious PHP script file with '.php4' extension (to bypass the '.htaccess' block rule) that will be stored in '/uploads/siteimages/thumb/' directory.

Proof of Concept
iscripts_rce.pyTXT
Disclosure Timeline
17.11.2015First contact to vendor.
08.12.2015Follow up with vendor. No response received.
08.12.2015Ticket Created using online portal (id #010248399110346).
08.12.2015Ticket closed by vendor without requesting vulnerability details.
28.12.2015Vendor responds asking more details.
29.12.2015Sent details to the vendor.
05.01.2016Follow up with vendor. No response received.
14.01.2016Follow up with vendor. No response received.
28.01.2016Public Security advisory released.
Credits
Vulnerability discovered by Bikramaditya Guha
References
[1]https://packetstormsecurity.com/files/135513
[2]https://cxsecurity.com/issue/WLB-2016010230
[3]https://www.exploit-db.com/exploits/39387/
Changelog
28.01.2016Initial release
31.01.2016Added reference [1] and [2]
01.02.2016Added reference [3]