Title: SkaDate Lite 2.0 Remote Code Execution Exploit
Advisory ID: ZSL-2014-5198
Type: Local/Remote
Impact: System Access
Risk: (4/5)
Release Date: 30.07.2014

Summary

SkaDate Lite is a new platform that makes it easy to start online dating business in just a few easy steps. No programming or design knowledge is required. Install the solution, pick a template, and start driving traffic to your new online dating site.

Description

SkaDate Lite suffers from an authenticated arbitrary PHP code execution. The vulnerability is caused due to the improper verification of uploaded files in '/admin/settings/user' script thru the 'avatar' and 'bigAvatar' POST parameters. This can be exploited to execute arbitrary PHP code by uploading a malicious PHP script file with '.php5' extension (to bypass the '.htaccess' block rule) that will be stored in '/ow_userfiles/plugins/base/avatars/' directory.

Vendor

Skalfa LLC - http://lite.skadate.com

Affected Version

2.0 (build 7651) [Platform version: 1.7.0 (build 7906)]

Tested On

CentOS Linux 6.5 (Final)
nginx/1.6.0
PHP/5.3.28
MySQL 5.5.37

Vendor Status

[23.07.2014] Vulnerability discovered.
[28.07.2014] Vendor contacted.
[28.07.2014] Vendor responds asking more details.
[28.07.2014] Sent details to the vendor.
[29.07.2014] Vendor will fix the issues in the next release.
[30.07.2014] Public security advisory released.

PoC

skadatelite_rce.py

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5196.php
[2] http://www.exploit-db.com/exploits/34205/
[3] http://osvdb.org/show/osvdb/109690
[4] http://packetstormsecurity.com/files/127691
[5] http://sebug.net/vuldb/ssvid-87168
[6] http://cxsecurity.com/issue/WLB-2014070182
[7] http://xforce.iss.net/xforce/xfdb/95056

Changelog

[30.07.2014] - Initial release
[05.10.2014] - Added reference [3], [4], [5] and [6]
[20.10.2014] - Added reference [7]

Contact

Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk