SkaDate Lite 2.0 Remote Code Execution Exploit
Title: SkaDate Lite 2.0 Remote Code Execution Exploit
Advisory ID: ZSL-2014-5198
Type: Local/Remote
Impact: System Access
Risk: (4/5)
Release Date: 30.07.2014
nginx/1.6.0
PHP/5.3.28
MySQL 5.5.37
[28.07.2014] Vendor contacted.
[28.07.2014] Vendor responds asking more details.
[28.07.2014] Sent details to the vendor.
[29.07.2014] Vendor will fix the issues in the next release.
[30.07.2014] Public security advisory released.
[2] http://www.exploit-db.com/exploits/34205/
[3] http://osvdb.org/show/osvdb/109690
[4] http://packetstormsecurity.com/files/127691
[5] http://sebug.net/vuldb/ssvid-87168
[6] http://cxsecurity.com/issue/WLB-2014070182
[7] http://xforce.iss.net/xforce/xfdb/95056
[05.10.2014] - Added reference [3], [4], [5] and [6]
[20.10.2014] - Added reference [7]
Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2014-5198
Type: Local/Remote
Impact: System Access
Risk: (4/5)
Release Date: 30.07.2014
Summary
SkaDate Lite is a new platform that makes it easy to start online dating business in just a few easy steps. No programming or design knowledge is required. Install the solution, pick a template, and start driving traffic to your new online dating site.Description
SkaDate Lite suffers from an authenticated arbitrary PHP code execution. The vulnerability is caused due to the improper verification of uploaded files in '/admin/settings/user' script thru the 'avatar' and 'bigAvatar' POST parameters. This can be exploited to execute arbitrary PHP code by uploading a malicious PHP script file with '.php5' extension (to bypass the '.htaccess' block rule) that will be stored in '/ow_userfiles/plugins/base/avatars/' directory.Vendor
Skalfa LLC - http://lite.skadate.comAffected Version
2.0 (build 7651) [Platform version: 1.7.0 (build 7906)]Tested On
CentOS Linux 6.5 (Final)nginx/1.6.0
PHP/5.3.28
MySQL 5.5.37
Vendor Status
[23.07.2014] Vulnerability discovered.[28.07.2014] Vendor contacted.
[28.07.2014] Vendor responds asking more details.
[28.07.2014] Sent details to the vendor.
[29.07.2014] Vendor will fix the issues in the next release.
[30.07.2014] Public security advisory released.
PoC
skadatelite_rce.pyCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5196.php[2] http://www.exploit-db.com/exploits/34205/
[3] http://osvdb.org/show/osvdb/109690
[4] http://packetstormsecurity.com/files/127691
[5] http://sebug.net/vuldb/ssvid-87168
[6] http://cxsecurity.com/issue/WLB-2014070182
[7] http://xforce.iss.net/xforce/xfdb/95056
Changelog
[30.07.2014] - Initial release[05.10.2014] - Added reference [3], [4], [5] and [6]
[20.10.2014] - Added reference [7]
Contact
Zero Science LabWeb: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk