lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <0Lup8L-1aEPZI11iz-0108Le@mrelayeu.kundenserver.de>
Date: Mon, 07 Dec 2015 18:13:36 +0100
From: "Curesec Research Team (CRT)" <crt@...esec.com>
To: fulldisclosure@...lists.org
Subject: [FD] phpwcms 1.7.9: Code Execution

Security Advisory - Curesec Research Team

1. Introduction

Affected Product:  phpwcms 1.7.9
Fixed in:          1.8.0 RC1
Fixed Version      https://github.com/slackero/phpwcms/archive/
Link:              phpwcms-1.8.0-RC1.zip
Vendor Website:    http://www.phpwcms.de/
Vulnerability      Code Execution
Type:
Remote             Yes
Exploitable:
Reported to        09/29/2015
vendor:
Disclosed to       12/02/2015
public:
Release mode:      Coordinated release
CVE:               requested, but not assigned
Credits            Tim Coen of Curesec GmbH

2. Overview

phpwcms allows the upload of files with dangerous type, which leads to code
execution. Additionally, it allows registered users who are not admins to use
PHP tags, which also leads to code execution.

Please note that a user account is needed to upload files. The user does not
need administration rights, but there is no open registration by default (the
form to add users is however open to CSRF).

3. Unrestricted Upload of File with Dangerous Type

CVSS

High 9.0 AV:N/AC:L/Au:S/C:C/I:C/A:C

Description

When uploading files, there are no checks as to the type or extension of the
file.

When uploading single files, these are stored inside the "filearchive"
directory. The original file name is changed to the hash of the file name. The
directory is protected with a .htaccess file from accessing or executing files
directly. Because of this, uploading single files can not easily be exploited;
it may however be possible to execute them via include_int_php (see below).

However, when uploading multiple files, these are stored temporarily inside the
"upload" directory, and these files are not renamed. The "upload" directory is
also protected by an .htaccess file, but as .htaccess files can be uploaded, it
can be overwritten, thus leading to code execution.

Please note that a user account is needed to upload files. The user does not
need administration rights, but there is no open registration by default.

Proof of Concept


Upload a .htaccess file and a PHP file here:
    http://localhost/phpwcms-phpwcms-1.7.9/phpwcms.php?do=files&p=8

The .htaccess file should contain:
    allow from all

Now the uploaded PHP file can be accessed and executed:
    http://localhost/phpwcms-phpwcms-1.7.9/upload/shell.php?x=id

4. Code Execution

CVSS

High 9.0 AV:N/AC:L/Au:S/C:C/I:C/A:C

Description

The functions include_int_php, include_int_phpcode, and include_ext_php can all
be used to gain code execution. These functions can be used by any logged in
user, admin rights are not required.

Proof of Concept


Create a new article. As author, use
    [PHP] passthru("touch mynewtest.php") [/PHP]

Visiting
    http://localhost/phpwcms-phpwcms-1.7.9/feeds.php
is one of the ways to trigger the code execution.

Please note that the feed is by default cached for one hour, during which the
code would not be executed as the cache is loaded instead.

The vulnerable functions are used in other places as well, which means an
attacker may not have to wait an hour for the cache to clear by triggering the
code elsewhere.

5. Solution

To mitigate this issue please upgrade at least to version 1.8.0 RC1:

https://github.com/slackero/phpwcms/archive/phpwcms-1.8.0-RC1.zip

Please note that a newer version might already be available.

6. Report Timeline

09/29/2015 Informed Vendor about Issue
09/29/2015 Vendor confirmed issues
10/21/2015 Reminded Vendor of Disclosure Date
10/25/2015 Vendor requests more time
11/17/2015 CVE Requested (no reply)
11/24/2015 Reminded Vendor of Disclosure Date
11/29/2015 Vendor releases fix
12/02/2015 Disclosed to public


Blog Reference:
https://blog.curesec.com/article/blog/phpwcms-179-Code-Execution-122.html
 
--
blog:  https://blog.curesec.com
tweet: https://twitter.com/curesec

Curesec GmbH
Curesec Research Team
Romain-Rolland-Str 14-24
13089 Berlin, Germany

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ