OV3 Online Administration 3.0 Authenticated Code Execution

Title: OV3 Online Administration 3.0 Authenticated Code Execution
Advisory ID: ZSL-2017-5411
Type: Local/Remote
Impact: System Access
Risk: (4/5)
Release Date: 30.05.2017
Summary
With the decision to use the OV3 as a platform for your data management, the course is set for scalable, flexible and high-performance applications. Whether you use the OV3 for your internal data management or use it for commercial business applications such as shops, portals, etc. Thanks to the data-based structure of the OV3, you always have the best tool at your fingertips. The OV3 is a 100% web-based tool. This eliminates the need to install a new software on all participating client computers. All elements are operated by a standard browser. Further advantages are the location-dependent use and - particularly with ASP solutions - the reduced costs for local hardware like own servers and modern client workstations.
Description
The application suffers from an authenticated arbitrary code execution. The vulnerability is caused due to the improper verification of uploaded files in 'image_editor.php' script thru the 'userfile' POST parameter. This can be exploited to execute arbitrary PHP code by uploading a malicious PHP script file that will be stored in '/media/customers/' directory. There is an extension check when uploading images and if the uploaded file does not have the .jpg or .png extension, the application uploads the file with .safety extension, which still executes PHP code. The attacker only needs the sid parameter value which is disclosed within the initial GET request while authenticating and can be collected in MitM attack.
Vendor
novaCapta Software & Consulting GmbH - http://www.meacon.de
Affected Version
3.0
Tested On
CentOS release 6.8 (Final)
PHP/5.3.3
Apache/2.2.15
MySQL/5.0.11
Vendor Status
[14.11.2016] Vendor contacted.
[26.12.2016] Vulnerability discovered.
[29.05.2017] No response from the vendor.
[30.05.2017] Public security advisory released.
PoC
ov3_rce.html
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] https://www.exploit-db.com/exploits/42096/
[2] https://cxsecurity.com/issue/WLB-2017050222
[3] https://packetstormsecurity.com/files/142749
[4] https://exchange.xforce.ibmcloud.com/vulnerabilities/126641
Changelog
[30.05.2017] - Initial release
[02.06.2017] - Added reference [1], [2] and [3]
[08.06.2017] - Added reference [4]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk