ImpressPages CMS v3.6 Remote Arbitrary File Deletion Vulnerability

Title: ImpressPages CMS v3.6 Remote Arbitrary File Deletion Vulnerability
Advisory ID: ZSL-2013-5158
Type: Local/Remote
Impact: Manipulation of Data
Risk: (3/5)
Release Date: 31.10.2013
Summary
ImpressPages CMS is an open source web content management system with revolutionary drag & drop interface.
Description
Input passed to the 'files[0][file]' parameter in '/ip_cms/modules/administrator/repository/controller.php' is not properly sanitised before being used to delete files. This can be exploited to delete files with the permissions of the web server via directory traversal sequences passed within the affected POST parameter.
Vendor
ImpressPages UAB - http://www.impresspages.org
Affected Version
3.6
Tested On
Microsoft Windows 7 Ultimate SP1 (EN)
Apache 2.4.2 (Win32)
PHP 5.4.7
MySQL 5.5.25a
Vendor Status
[12.10.2013] Vulnerability discovered.
[20.10.2013] Contact with the vendor.
[20.10.2013] Vendor responds asking more details.
[22.10.2013] Sent details to the vendor.
[22.10.2013] Vendor working on reported issue.
[22.10.2013] Asked vendor for estimated timeframe for developing patch.
[24.10.2013] Vendor confirms the issue promising fix.
[29.10.2013] Vendor releases version 3.7 to address this issue.
[31.10.2013] Coordinated public security advisory released.
PoC
impresspages_del.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] http://www.impresspages.org/blog/impresspages-cms-3-7-is-mobile-as-never-before/
[2] http://packetstormsecurity.com/files/123872
[3] http://www.osvdb.org/show/osvdb/99222
[4] http://cxsecurity.com/issue/WLB-2013110001
[5] http://www.securityfocus.com/bid/63470
[6] http://www.exploit-db.com/exploits/29328/
[7] http://secunia.com/advisories/55505
Changelog
[31.10.2013] - Initial release
[01.11.2013] - Added reference [2], [3], [4] and [5]
[03.11.2013] - Added reference [6]
[04.11.2013] - Added reference [7]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk