Kemana Directory 1.5.6 Remote Code Execution
Title: Kemana Directory 1.5.6 Remote Code Execution
Advisory ID: ZSL-2014-5178
Type: Local/Remote
Impact: System Access
Risk: (4/5)
Release Date: 25.03.2014
PHP/5.5.6
MySQL 5.6.14
[10.03.2014] Vendor contacted.
[11.03.2014] Vendor responds asking more details.
[11.03.2014] Sent details to the vendor.
[12.03.2014] Working with the vendor.
[13.03.2014] Vendor working on a new version.
[21.03.2014] Asked vendor for status update.
[21.03.2014] Vendor promises patch release in April.
[25.03.2014] Public security advisory released.
[2] http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5182.php
[3] http://packetstormsecurity.com/files/125875
[4] http://www.exploit-db.com/exploits/32507
[5] http://cxsecurity.com/issue/WLB-2014030201
[6] http://www.c97.net/news/security-issues-with-qengine-family.php
[7] http://osvdb.org/show/osvdb/105044
[8] http://osvdb.org/show/osvdb/105045
[9] http://osvdb.org/show/osvdb/105047
[10] http://osvdb.org/show/osvdb/105048
[11] https://secunia.com/advisories/57561/
[26.03.2014] - Added reference [3], [4] and [5]
[27.03.2014] - Added reference [6]
[31.03.2014] - Added reference [7], [8], [9] and [10]
[09.04.2014] - Added reference [11]
Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2014-5178
Type: Local/Remote
Impact: System Access
Risk: (4/5)
Release Date: 25.03.2014
Summary
Experience the ultimate directory script solution with Kemana. Create your own Yahoo or Dmoz easily with Kemana. Unique Kemana's features including: CMS engine based on our qEngine, multiple directories support, user friendly administration control panel, easy to use custom fields, unsurpassed flexibility.Description
Kemana Directory suffers from an authenticated arbitrary code execution. The vulnerability is caused due to the improper verification of uploaded files in several modules thru several POST parameters. This can be exploited to execute arbitrary PHP code by uploading a malicious PHP script file that will be stored in '/public/image' directory.Vendor
C97net - http://www.c97.netAffected Version
1.5.6Tested On
Apache/2.4.7 (Win32)PHP/5.5.6
MySQL 5.6.14
Vendor Status
[07.03.2014] Vulnerability discovered.[10.03.2014] Vendor contacted.
[11.03.2014] Vendor responds asking more details.
[11.03.2014] Sent details to the vendor.
[12.03.2014] Working with the vendor.
[13.03.2014] Vendor working on a new version.
[21.03.2014] Asked vendor for status update.
[21.03.2014] Vendor promises patch release in April.
[25.03.2014] Public security advisory released.
PoC
kemana_rce.txtCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5174.php[2] http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5182.php
[3] http://packetstormsecurity.com/files/125875
[4] http://www.exploit-db.com/exploits/32507
[5] http://cxsecurity.com/issue/WLB-2014030201
[6] http://www.c97.net/news/security-issues-with-qengine-family.php
[7] http://osvdb.org/show/osvdb/105044
[8] http://osvdb.org/show/osvdb/105045
[9] http://osvdb.org/show/osvdb/105047
[10] http://osvdb.org/show/osvdb/105048
[11] https://secunia.com/advisories/57561/
Changelog
[25.03.2014] - Initial release[26.03.2014] - Added reference [3], [4] and [5]
[27.03.2014] - Added reference [6]
[31.03.2014] - Added reference [7], [8], [9] and [10]
[09.04.2014] - Added reference [11]
Contact
Zero Science LabWeb: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk