Croogo 2.0.0 Arbitrary PHP Code Execution Exploit
Title: Croogo 2.0.0 Arbitrary PHP Code Execution Exploit
Advisory ID: ZSL-2014-5202
Type: Local/Remote
Impact: System Access
Risk: (4/5)
Release Date: 12.10.2014
PHP/5.5.6
MySQL 5.6.14
[27.07.2014] Vendor contacted.
[27.07.2014] Vendor responds asking more details.
[27.07.2014] Sent details to the vendor.
[28.07.2014] Vendor confirms the issues promising patch.
[04.08.2014] Working with the vendor.
[07.08.2014] Fix developed.
[02.09.2014] Vendor releases version 2.1.0 to address these issues.
[12.10.2014] Coordinated public security advisory released.
[2] http://www.exploit-db.com/exploits/34958/
[3] http://osvdb.org/show/osvdb/113108
[4] http://osvdb.org/show/osvdb/113112
[5] http://packetstormsecurity.com/files/128640
[6] http://cxsecurity.com/issue/WLB-2014100075
[7] http://www.securityfocus.com/bid/70411
[8] http://xforce.iss.net/xforce/xfdb/96990
[14.10.2014] - Added reference [2], [3], [4], [5], [6] and [7]
[20.10.2014] - Added reference [8]
Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2014-5202
Type: Local/Remote
Impact: System Access
Risk: (4/5)
Release Date: 12.10.2014
Summary
Croogo is a free, open source, content management system for PHP, released under The MIT License. It is powered by CakePHP MVC framework.Description
Croogo suffers from an authenticated arbitrary PHP code execution. The vulnerability is caused due to the improper verification of uploaded files in '/admin/file_manager/attachments/add' script thru the 'data[Attachment][file]' POST parameter and in '/admin/file_manager/file_manager/upload' script thru the 'data[FileManager][file]' POST parameter. This can be exploited to execute arbitrary PHP code by uploading a malicious PHP script file that will be stored in '/webroot/uploads/' directory.Vendor
Fahad Ibnay Heylaal - http://www.croogo.orgAffected Version
2.0.0Tested On
Apache/2.4.7 (Win32)PHP/5.5.6
MySQL 5.6.14
Vendor Status
[26.07.2014] Vulnerability discovered.[27.07.2014] Vendor contacted.
[27.07.2014] Vendor responds asking more details.
[27.07.2014] Sent details to the vendor.
[28.07.2014] Vendor confirms the issues promising patch.
[04.08.2014] Working with the vendor.
[07.08.2014] Fix developed.
[02.09.2014] Vendor releases version 2.1.0 to address these issues.
[12.10.2014] Coordinated public security advisory released.
PoC
croogo_rce.pyCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] http://blog.croogo.org/blog/croogo-210-released[2] http://www.exploit-db.com/exploits/34958/
[3] http://osvdb.org/show/osvdb/113108
[4] http://osvdb.org/show/osvdb/113112
[5] http://packetstormsecurity.com/files/128640
[6] http://cxsecurity.com/issue/WLB-2014100075
[7] http://www.securityfocus.com/bid/70411
[8] http://xforce.iss.net/xforce/xfdb/96990
Changelog
[12.10.2014] - Initial release[14.10.2014] - Added reference [2], [3], [4], [5], [6] and [7]
[20.10.2014] - Added reference [8]
Contact
Zero Science LabWeb: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk