Title: Microweber v1.0.3 File Upload Filter Bypass Remote PHP Code Execution
Advisory ID: ZSL-2015-5250
Type: Local/Remote
Impact: System Access
Risk: (4/5)
Release Date: 04.08.2015

Summary

Microweber is an open source drag and drop PHP/Laravel CMS licensed under Apache License, Version 2.0 which allows you to create your own website, blog or online shop.

Description

Microweber suffers from an authenticated arbitrary command execution vulnerability. The issue is caused due to the improper verification when uploading files in '/src/Microweber/functions/plupload.php' script. This can be exploited to execute arbitrary PHP code by bypassing the extension restriction by putting the dot character at the end of the filename and uploading a malicious PHP script file that will be stored in '/userfiles/media/localhost/uploaded' directory.

Vendor

Microweber Team - http://www.microweber.com

Affected Version

1.0.3

Tested On

Apache 2.4.10 (Win32)
PHP 5.6.3
MySQL 5.6.21

Vendor Status

[12.07.2015] Vulnerability discovered.
[12.07.2015] Initial contact with the vendor.
[13.07.2015] Vendor responds asking more details.
[13.07.2015] Sent details to the vendor.
[13.07.2015] Vendor replies with confirmation of the issue developing fixed version 1.0.4.
[04.08.2015] Vendor releases official new version (1.0.4).
[04.08.2015] Coordinated public security advisory released.

PoC

microweber_upload.txt

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] https://github.com/microweber/microweber/blob/master/CHANGELOG.md
[2] https://microweber.com/list-of-contributors
[3] http://cxsecurity.com/issue/WLB-2015080029
[4] https://www.exploit-db.com/exploits/37735/
[5] https://packetstormsecurity.com/files/132970
[6] https://exchange.xforce.ibmcloud.com/vulnerabilities/105422

Changelog

[04.08.2015] - Initial release
[09.08.2015] - Added reference [4] and [5]
[13.08.2015] - Added reference [6]

Contact

Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk