CMSLogik 1.2.1 (upload_file_ajax()) Shell Upload Exploit

2013-04-14T00:00:00
ID ZSL-2013-5138
Type zeroscience
Reporter Gjoko Krstic
Modified 2013-04-14T00:00:00

Description

Title: CMSLogik 1.2.1 (upload_file_ajax()) Shell Upload Exploit
Advisory ID: ZSL-2013-5138
Type: Local/Remote
Impact: System Access
Risk: (4/5)
Release Date: 14.04.2013

Summary

CMSLogik is built on a solid & lightweight framework called CodeIgniter, and design powered by Bootstrap. This combination allows for greater security, extensive flexibility, and ease of use. You can use CMSLogik for almost any niche that your project might fall into.

Description

The vulnerability is caused due to the improper verification of uploaded files in '/application/controllers/support.php' script thru the 'upload_file_ajax()' function. This can be exploited to execute arbitrary PHP code by uploading a malicious PHP script file with multiple extensions in the '/support_files' directory. Normal user [level 113] authentication required.

--------------------------------------------------------------------------------

` /application/controllers/support.php:

143: public function upload_file_ajax()
144: {
145: $allowedExtensions = array('jpeg', 'jpg', 'gif', 'png', 'html', 'php', 'js', 'doc', 'docx', 'pdf', 'ppt', 'pps', 'pptx', 'ppsx');
146: $sizeLimit = 10 * 1024;
147: $params = array('extensions' => $allowedExtensions, 'size' => $sizeLimit);
148: $this->load->library('qqfileuploader', $params);
149:
150: $result = $this->qqfileuploader->handleUpload('./support_files');
151:
152: echo htmlspecialchars(json_encode($result), ENT_NOQUOTES);
153: }
`
--------------------------------------------------------------------------------

Vendor

ThemeLogik - <http://www.themelogik.com/cmslogik>

Affected Version

1.2.1 and 1.2.0

Tested On

Router Webserver

Vendor Status

[05.04.2013] Vulnerability discovered.
[05.04.2013] Contact with the vendor.
[05.04.2013] Vendor replies asking more details.
[05.04.2013] Sent detailed information to the vendor.
[08.04.2013] Vendor confirms the issues promising patch.
[14.04.2013] Vendor fixes the vulnerability.
[14.04.2013] Coordinated public security advisory released.

PoC

cmslogik_shell.py

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] <http://cxsecurity.com/issue/WLB-2013040106>
[2] <http://www.exploit-db.com/exploits/24959/>
[3] <http://packetstormsecurity.com/files/121305>
[4] <http://osvdb.org/show/osvdb/92320>

Changelog

[14.04.2013] - Initial release
[15.04.2013] - Added reference [1] and [2]
[16.04.2013] - Added reference [3] and [4]

Contact

Zero Science Lab

Web: <http://www.zeroscience.mk>
e-mail: lab@zeroscience.mk

                                        
                                            &lt;html&gt;&lt;head&gt;&lt;title&gt;403 Nothing to see.&lt;/title&gt;
&lt;link rel="Shortcut Icon" href="favicon.ico" type="image/x-icon"&gt;
&lt;style type="text/css"&gt;
&lt;!--
body {
	background-color: #000;
}
body,td,th {
	font-family: Verdana, Geneva, sans-serif;
}
a:link {
	color: #008FEF;
	text-decoration: none;
}
a:visited {
	color: #008FEF;
	text-decoration: none;
}
a:hover {
	text-decoration: underline;
	color: #666;
}
a:active {
	text-decoration: none;
}
--&gt;
&lt;/style&gt;
&lt;/head&gt;
&lt;body bgcolor=black&gt;
&lt;center&gt;
&lt;font color="#7E88A3" size="2"&gt;
&lt;br /&gt;&lt;br /&gt;
&lt;h1&gt;403 Nothing to see.&lt;/h1&gt;

You do not have the powah for this request /403.shtml&lt;br /&gt;&lt;br /&gt;
&lt;font size="2"&gt;&lt;a href="https://www.zeroscience.mk"&gt;https://www.zeroscience.mk&lt;/a&gt;&lt;/font&gt;
&lt;/font&gt;&lt;/center&gt;
&lt;/body&gt;&lt;/html&gt;