Microweber v1.0.3 File Upload Filter Bypass Remote PHP Code Execution

Title: Microweber v1.0.3 File Upload Filter Bypass Remote PHP Code Execution
Advisory ID: ZSL-2015-5250
Type: Local/Remote
Impact: System Access
Risk: (4/5)
Release Date: 04.08.2015
Microweber is an open source drag and drop PHP/Laravel CMS licensed under Apache License, Version 2.0 which allows you to create your own website, blog or online shop.
Microweber suffers from an authenticated arbitrary command execution vulnerability. The issue is caused due to the improper verification when uploading files in '/src/Microweber/functions/plupload.php' script. This can be exploited to execute arbitrary PHP code by bypassing the extension restriction by putting the dot character at the end of the filename and uploading a malicious PHP script file that will be stored in '/userfiles/media/localhost/uploaded' directory.
Microweber Team - http://www.microweber.com
Affected Version
Tested On
Apache 2.4.10 (Win32)
PHP 5.6.3
MySQL 5.6.21
Vendor Status
[12.07.2015] Vulnerability discovered.
[12.07.2015] Initial contact with the vendor.
[13.07.2015] Vendor responds asking more details.
[13.07.2015] Sent details to the vendor.
[13.07.2015] Vendor replies with confirmation of the issue developing fixed version 1.0.4.
[04.08.2015] Vendor releases official new version (1.0.4).
[04.08.2015] Coordinated public security advisory released.
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
[1] https://github.com/microweber/microweber/blob/master/CHANGELOG.md
[2] https://microweber.com/list-of-contributors
[3] http://cxsecurity.com/issue/WLB-2015080029
[4] https://www.exploit-db.com/exploits/37735/
[5] https://packetstormsecurity.com/files/132970
[6] https://exchange.xforce.ibmcloud.com/vulnerabilities/105422
[04.08.2015] - Initial release
[09.08.2015] - Added reference [4] and [5]
[13.08.2015] - Added reference [6]
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk