Zenario CMS 7.0.7c Remote Code Execution Vulnerability
Title: Zenario CMS 7.0.7c Remote Code Execution Vulnerability
Advisory ID: ZSL-2015-5280
Type: Local/Remote
Impact: System Access
Risk: (3/5)
Release Date: 17.11.2015
PHP 5.5.9-1ubuntu4.1
Zend Engine v2.5.0
Zend OPcache v7.0.3
[28.10.2015] Vendor contacted.
[28.10.2015] Vendor responds asking more details.
[29.10.2015] Sent details to the vendor.
[30.10.2015] Vendor is looking into the issue.
[01.11.2015] Working with the vendor.
[15.11.2015] Asked vendor for status update.
[16.11.2015] Vendor releases version 7.0.7d to address this issue.
[17.11.2015] Public security advisory released.
[2] https://packetstormsecurity.com/files/134421
[3] https://cxsecurity.com/issue/WLB-2015110162
[4] https://exchange.xforce.ibmcloud.com/vulnerabilities/108136
[18.11.2015] - Added reference [2] and [3]
[19.11.2015] - Added reference [4]
Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2015-5280
Type: Local/Remote
Impact: System Access
Risk: (3/5)
Release Date: 17.11.2015
Summary
Zenario is a web-based content management system for sites with one or many languages. It's designed to grow with your site, adding extranet, online database and custom functionality when you need it.Description
The vulnerability is caused due to the improper verification of uploaded files via the Document upload script using 'Filedata' POST parameter which allows of arbitrary files being uploaded in '/public/downloads' following a publicaly generated link for access where the admin first needs to add the file extension in the allowed list. This can be exploited to execute arbitrary PHP code by uploading a malicious PHP script file and execute system commands.Vendor
Tribal Ltd. - http://www.zenar.ioAffected Version
<= 7.0.7c and 7.1.0 (svn)Tested On
Ubuntu 14.04 LTSPHP 5.5.9-1ubuntu4.1
Zend Engine v2.5.0
Zend OPcache v7.0.3
Vendor Status
[27.10.2015] Vulnerability discovered.[28.10.2015] Vendor contacted.
[28.10.2015] Vendor responds asking more details.
[29.10.2015] Sent details to the vendor.
[30.10.2015] Vendor is looking into the issue.
[01.11.2015] Working with the vendor.
[15.11.2015] Asked vendor for status update.
[16.11.2015] Vendor releases version 7.0.7d to address this issue.
[17.11.2015] Public security advisory released.
PoC
zenario_rce.txtCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] http://zenar.io/zenario-707d[2] https://packetstormsecurity.com/files/134421
[3] https://cxsecurity.com/issue/WLB-2015110162
[4] https://exchange.xforce.ibmcloud.com/vulnerabilities/108136
Changelog
[17.11.2015] - Initial release[18.11.2015] - Added reference [2] and [3]
[19.11.2015] - Added reference [4]
Contact
Zero Science LabWeb: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk