Centreon 2.6.1 Unrestricted File Upload Vulnerability

Title: Centreon 2.6.1 Unrestricted File Upload Vulnerability
Advisory ID: ZSL-2015-5264
Type: Local/Remote
Impact: System Access
Risk: (4/5)
Release Date: 26.09.2015
Centreon is the choice of some of the world's largest companies and mission-critical organizations for real-time IT performance monitoring and diagnostics management.
The vulnerability is caused due to the improper verification of uploaded files via the 'filename' POST parameter. This can be exploited to execute arbitrary PHP code by uploading a malicious PHP script file that will be stored in the '/img/media/' directory.
Centreon - https://www.centreon.com
Affected Version
2.6.1 (CES 3.2)
Tested On
CentOS 6.6 (Final)
Vendor Status
[10.08.2015] Vulnerability discovered.
[12.08.2015] Vendor contacted.
[13.08.2015] Vendor replies asking more details.
[13.08.2015] Sent details to the vendor.
[14.08.2015] Vendor sends details to developing team.
[19.08.2015] Asked vendor for status update.
[19.08.2015] Vendor states that some issues were fixed in 2.6.2 and rest will be fixed in 2.6.3 or 2.7.
[25.08.2015] Asked vendor for status update.
[25.08.2015] Vendor will get back to us by 15th of September because of holidays.
[16.09.2015] No reply from the vendor.
[17.09.2015] Informed vendor about public release.
[17.09.2015] Vendor has released version 2.6.2 fixing the file upload issue. Remaining issues promised to be fixed in next release.
[24.09.2015] Vendor releases version 2.6.3 to fix remaining issues?
[26.09.2015] Public security advisory released.
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
[1] https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-2.6.2.html
[2] https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-2.6.3.html
[3] https://www.exploit-db.com/exploits/38339/
[4] https://packetstormsecurity.com/files/133744
[5] https://cxsecurity.com/issue/WLB-2015090168
[26.09.2015] - Initial release
[07.10.2015] - Added reference [3], [4] and [5]
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk