phpwcms 1.7.9 Code Execution

`Security Advisory - Curesec Research Team  
  
1. Introduction  
  
Affected Product: phpwcms 1.7.9  
Fixed in: 1.8.0 RC1  
Fixed Version https://github.com/slackero/phpwcms/archive/  
Link: phpwcms-1.8.0-RC1.zip  
Vendor Website: http://www.phpwcms.de/  
Vulnerability Code Execution  
Type:  
Remote Yes  
Exploitable:  
Reported to 09/29/2015  
vendor:  
Disclosed to 12/02/2015  
public:  
Release mode: Coordinated release  
CVE: requested, but not assigned  
Credits Tim Coen of Curesec GmbH  
  
2. Overview  
  
phpwcms allows the upload of files with dangerous type, which leads to code  
execution. Additionally, it allows registered users who are not admins to use  
PHP tags, which also leads to code execution.  
  
Please note that a user account is needed to upload files. The user does not  
need administration rights, but there is no open registration by default (the  
form to add users is however open to CSRF).  
  
3. Unrestricted Upload of File with Dangerous Type  
  
CVSS  
  
High 9.0 AV:N/AC:L/Au:S/C:C/I:C/A:C  
  
Description  
  
When uploading files, there are no checks as to the type or extension of the  
file.  
  
When uploading single files, these are stored inside the "filearchive"  
directory. The original file name is changed to the hash of the file name. The  
directory is protected with a .htaccess file from accessing or executing files  
directly. Because of this, uploading single files can not easily be exploited;  
it may however be possible to execute them via include_int_php (see below).  
  
However, when uploading multiple files, these are stored temporarily inside the  
"upload" directory, and these files are not renamed. The "upload" directory is  
also protected by an .htaccess file, but as .htaccess files can be uploaded, it  
can be overwritten, thus leading to code execution.  
  
Please note that a user account is needed to upload files. The user does not  
need administration rights, but there is no open registration by default.  
  
Proof of Concept  
  
  
Upload a .htaccess file and a PHP file here:  
http://localhost/phpwcms-phpwcms-1.7.9/phpwcms.php?do=files&p=8  
  
The .htaccess file should contain:  
allow from all  
  
Now the uploaded PHP file can be accessed and executed:  
http://localhost/phpwcms-phpwcms-1.7.9/upload/shell.php?x=id  
  
4. Code Execution  
  
CVSS  
  
High 9.0 AV:N/AC:L/Au:S/C:C/I:C/A:C  
  
Description  
  
The functions include_int_php, include_int_phpcode, and include_ext_php can all  
be used to gain code execution. These functions can be used by any logged in  
user, admin rights are not required.  
  
Proof of Concept  
  
  
Create a new article. As author, use  
[PHP] passthru("touch mynewtest.php") [/PHP]  
  
Visiting  
http://localhost/phpwcms-phpwcms-1.7.9/feeds.php  
is one of the ways to trigger the code execution.  
  
Please note that the feed is by default cached for one hour, during which the  
code would not be executed as the cache is loaded instead.  
  
The vulnerable functions are used in other places as well, which means an  
attacker may not have to wait an hour for the cache to clear by triggering the  
code elsewhere.  
  
5. Solution  
  
To mitigate this issue please upgrade at least to version 1.8.0 RC1:  
  
https://github.com/slackero/phpwcms/archive/phpwcms-1.8.0-RC1.zip  
  
Please note that a newer version might already be available.  
  
6. Report Timeline  
  
09/29/2015 Informed Vendor about Issue  
09/29/2015 Vendor confirmed issues  
10/21/2015 Reminded Vendor of Disclosure Date  
10/25/2015 Vendor requests more time  
11/17/2015 CVE Requested (no reply)  
11/24/2015 Reminded Vendor of Disclosure Date  
11/29/2015 Vendor releases fix  
12/02/2015 Disclosed to public  
  
  
Blog Reference:  
https://blog.curesec.com/article/blog/phpwcms-179-Code-Execution-122.html  
  
--  
blog: https://blog.curesec.com  
tweet: https://twitter.com/curesec  
  
Curesec GmbH  
Curesec Research Team  
Romain-Rolland-Str 14-24  
13089 Berlin, Germany  
  
  
`