iScripts EasyCreate 3.0 Remote Code Execution Exploit
Title: iScripts EasyCreate 3.0 Remote Code Execution Exploit
Advisory ID: ZSL-2016-5297
Type: Local/Remote
Impact: System Access
Risk: (4/5)
Release Date: 28.01.2016
MySQL 5.5.40
[08.12.2015] Follow up with vendor. No response received.
[08.12.2015] Ticket Created using online portal (id #010248399110346).
[08.12.2015] Ticket closed by vendor without requesting vulnerability details.
[28.12.2015] Vendor responds asking more details.
[29.12.2015] Sent details to the vendor.
[05.01.2016] Follow up with vendor. No response received.
[14.01.2016] Follow up with vendor. No response received.
[28.01.2016] Public Security advisory released.
[2] https://cxsecurity.com/issue/WLB-2016010230
[3] https://www.exploit-db.com/exploits/39387/
[31.01.2016] - Added reference [1] and [2]
[01.02.2016] - Added reference [3]
Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2016-5297
Type: Local/Remote
Impact: System Access
Risk: (4/5)
Release Date: 28.01.2016
Summary
iScripts EasyCreate is a private label online website builder. This software allows you to start an online business by offering website building services to your customers. Equipped with drag and drop design functionality, crisp templates and social sharing capabilities, this online website builder software will allow you to provide the best website building features to your users.Description
iScripts EasyCreate suffers from an authenticated arbitrary PHP code execution. The vulnerability is caused due to the improper verification of uploaded files in '/ajax_image_upload.php' script thru the 'userImages' POST parameter. This can be exploited to execute arbitrary PHP code by uploading a malicious PHP script file with '.php4' extension (to bypass the '.htaccess' block rule) that will be stored in '/uploads/siteimages/thumb/' directory.Vendor
iScripts.com - http://www.iscripts.comAffected Version
3.0Tested On
ApacheMySQL 5.5.40
Vendor Status
[17.11.2015] First contact to vendor.[08.12.2015] Follow up with vendor. No response received.
[08.12.2015] Ticket Created using online portal (id #010248399110346).
[08.12.2015] Ticket closed by vendor without requesting vulnerability details.
[28.12.2015] Vendor responds asking more details.
[29.12.2015] Sent details to the vendor.
[05.01.2016] Follow up with vendor. No response received.
[14.01.2016] Follow up with vendor. No response received.
[28.01.2016] Public Security advisory released.
PoC
iscripts_rce.pyCredits
Vulnerability discovered by Bikramaditya Guha - <bik@zeroscience.mk>References
[1] https://packetstormsecurity.com/files/135513[2] https://cxsecurity.com/issue/WLB-2016010230
[3] https://www.exploit-db.com/exploits/39387/
Changelog
[28.01.2016] - Initial release[31.01.2016] - Added reference [1] and [2]
[01.02.2016] - Added reference [3]
Contact
Zero Science LabWeb: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk