Centreon 2.6.1 Unrestricted File Upload Vulnerability
Title: Centreon 2.6.1 Unrestricted File Upload Vulnerability
Advisory ID: ZSL-2015-5264
Type: Local/Remote
Impact: System Access
Risk: (4/5)
Release Date: 26.09.2015
Apache/2.2.15
PHP/5.3.3
[12.08.2015] Vendor contacted.
[13.08.2015] Vendor replies asking more details.
[13.08.2015] Sent details to the vendor.
[14.08.2015] Vendor sends details to developing team.
[19.08.2015] Asked vendor for status update.
[19.08.2015] Vendor states that some issues were fixed in 2.6.2 and rest will be fixed in 2.6.3 or 2.7.
[25.08.2015] Asked vendor for status update.
[25.08.2015] Vendor will get back to us by 15th of September because of holidays.
[16.09.2015] No reply from the vendor.
[17.09.2015] Informed vendor about public release.
[17.09.2015] Vendor has released version 2.6.2 fixing the file upload issue. Remaining issues promised to be fixed in next release.
[24.09.2015] Vendor releases version 2.6.3 to fix remaining issues?
[26.09.2015] Public security advisory released.
[2] https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-2.6.3.html
[3] https://www.exploit-db.com/exploits/38339/
[4] https://packetstormsecurity.com/files/133744
[5] https://cxsecurity.com/issue/WLB-2015090168
[07.10.2015] - Added reference [3], [4] and [5]
Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2015-5264
Type: Local/Remote
Impact: System Access
Risk: (4/5)
Release Date: 26.09.2015
Summary
Centreon is the choice of some of the world's largest companies and mission-critical organizations for real-time IT performance monitoring and diagnostics management.Description
The vulnerability is caused due to the improper verification of uploaded files via the 'filename' POST parameter. This can be exploited to execute arbitrary PHP code by uploading a malicious PHP script file that will be stored in the '/img/media/' directory.Vendor
Centreon - https://www.centreon.comAffected Version
2.6.1 (CES 3.2)Tested On
CentOS 6.6 (Final)Apache/2.2.15
PHP/5.3.3
Vendor Status
[10.08.2015] Vulnerability discovered.[12.08.2015] Vendor contacted.
[13.08.2015] Vendor replies asking more details.
[13.08.2015] Sent details to the vendor.
[14.08.2015] Vendor sends details to developing team.
[19.08.2015] Asked vendor for status update.
[19.08.2015] Vendor states that some issues were fixed in 2.6.2 and rest will be fixed in 2.6.3 or 2.7.
[25.08.2015] Asked vendor for status update.
[25.08.2015] Vendor will get back to us by 15th of September because of holidays.
[16.09.2015] No reply from the vendor.
[17.09.2015] Informed vendor about public release.
[17.09.2015] Vendor has released version 2.6.2 fixing the file upload issue. Remaining issues promised to be fixed in next release.
[24.09.2015] Vendor releases version 2.6.3 to fix remaining issues?
[26.09.2015] Public security advisory released.
PoC
centreon_upload.txtCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-2.6.2.html[2] https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-2.6.3.html
[3] https://www.exploit-db.com/exploits/38339/
[4] https://packetstormsecurity.com/files/133744
[5] https://cxsecurity.com/issue/WLB-2015090168
Changelog
[26.09.2015] - Initial release[07.10.2015] - Added reference [3], [4] and [5]
Contact
Zero Science LabWeb: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk