ImpressPages CMS v3.6 manage() Function Remote Code Execution Exploit

Title: ImpressPages CMS v3.6 manage() Function Remote Code Execution Exploit
Advisory ID: ZSL-2013-5159
Type: Local/Remote
Impact: System Access
Risk: (4/5)
Release Date: 01.11.2013
ImpressPages CMS is an open source web content management system with revolutionary drag & drop interface.
The vulnerability is caused due to the improper verification of uploaded files in '/ip_cms/modules/developer/config_exp_imp/manager.php' script thru the 'manage()' function (@line 65) when importing a configuration file. This can be exploited to execute arbitrary PHP code by uploading a malicious PHP script file that will be stored in '/file/tmp' directory after successful injection. Permission Developer[Modules exp/imp] is required (parameter 'i_n_2[361]' = on) for successful exploitation.
ImpressPages UAB -
Affected Version
3.6, 3.5 and 3.1
Tested On
Microsoft Windows 7 Ultimate SP1 (EN)
GNU/Linux CentOS 6.3 (Final)
Apache 2.4.2 (Win32) / Apache2
PHP 5.4.7 / PHP 5.3.21
MySQL 5.5.25a
Vendor Status
[12.10.2013] Vulnerability discovered.
[20.10.2013] Contact with the vendor.
[20.10.2013] Vendor responds asking more details.
[22.10.2013] Sent details to the vendor.
[22.10.2013] Vendor working on reported issue.
[22.10.2013] Asked vendor for estimated timeframe for developing patch.
[24.10.2013] Vendor confirms the issue promising fix.
[29.10.2013] Vendor releases version 3.7 to address this issue.
[01.11.2013] Coordinated public security advisory released.
Vulnerability discovered by Gjoko Krstic - <>
[01.11.2013] - Initial release
[03.11.2013] - Added reference [3]
[04.11.2013] - Added reference [4], [5], [6] and [7]
[05.11.2013] - Added reference [8]
Zero Science Lab