Dream CMS 2.3.0 CSRF Add Extension And File Upload PHP Code Execution

Title: Dream CMS 2.3.0 CSRF Add Extension And File Upload PHP Code Execution
Advisory ID: ZSL-2015-5268
Type: Local/Remote
Impact: Cross-Site Scripting, System Access
Risk: (4/5)
Release Date: 11.10.2015
Summary
DreamCMS is open and completely free PHP web application for constructing websites of any complexity.
Description
Dream CMS allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. Related to the CSRF issue, an authenticated arbitrary PHP code execution exist. The vulnerability is caused due to the improper verification of uploaded files in '/files-manager-administration/add-file' script via the 'file' POST parameter which allows of arbitrary files being uploaded in '/resource/filemanager/1/home/' where the admin first needs to add the file extension in the allowed list (csrf'd). This can be exploited to execute arbitrary PHP code by uploading a malicious PHP script file and execute system commands.
Vendor
Dream CMS - http://www.dream-cms.kg
Affected Version
2.3.0
Tested On
nginx/1.6.2
PHP/5.5.28
Vendor Status
[01.10.2015] Vulnerability discovered.
[08.10.2015] Vendor contacted.
[08.10.2015] Vendor responds asking more details.
[08.10.2015] Sent details to the vendor.
[09.10.2015] Vendor confirms the vulnerability scheduling patch release date.
[11.10.2015] Vendor releases version 2.3.1 to address this issue.
[11.10.2015] Coordinated public security advisory released.
PoC
dreamcms_csrfrce.html
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] http://dream-cms.kg/en/news-list/news/_id/release-of-application--231
[2] https://github.com/esase/dream-cms/issues/40
[3] https://packetstormsecurity.com/files/133920
[4] https://cxsecurity.com/issue/WLB-2015100084
[5] https://www.exploit-db.com/exploits/38446/
[6] https://exchange.xforce.ibmcloud.com/vulnerabilities/107172
[7] https://exchange.xforce.ibmcloud.com/vulnerabilities/107173
[8] https://exchange.xforce.ibmcloud.com/vulnerabilities/107174
Changelog
[11.10.2015] - Initial release
[15.10.2015] - Added reference [3], [4] and [5]
[21.10.2015] - Added reference [6], [7] and [8]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk