ImpressPages CMS v3.6 Remote Arbitrary File Deletion Vulnerability
Title: ImpressPages CMS v3.6 Remote Arbitrary File Deletion Vulnerability
Advisory ID: ZSL-2013-5158
Type: Local/Remote
Impact: Manipulation of Data
Risk: (3/5)
Release Date: 31.10.2013
Apache 2.4.2 (Win32)
PHP 5.4.7
MySQL 5.5.25a
[20.10.2013] Contact with the vendor.
[20.10.2013] Vendor responds asking more details.
[22.10.2013] Sent details to the vendor.
[22.10.2013] Vendor working on reported issue.
[22.10.2013] Asked vendor for estimated timeframe for developing patch.
[24.10.2013] Vendor confirms the issue promising fix.
[29.10.2013] Vendor releases version 3.7 to address this issue.
[31.10.2013] Coordinated public security advisory released.
[2] http://packetstormsecurity.com/files/123872
[3] http://www.osvdb.org/show/osvdb/99222
[4] http://cxsecurity.com/issue/WLB-2013110001
[5] http://www.securityfocus.com/bid/63470
[6] http://www.exploit-db.com/exploits/29328/
[7] http://secunia.com/advisories/55505
[01.11.2013] - Added reference [2], [3], [4] and [5]
[03.11.2013] - Added reference [6]
[04.11.2013] - Added reference [7]
Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2013-5158
Type: Local/Remote
Impact: Manipulation of Data
Risk: (3/5)
Release Date: 31.10.2013
Summary
ImpressPages CMS is an open source web content management system with revolutionary drag & drop interface.Description
Input passed to the 'files[0][file]' parameter in '/ip_cms/modules/administrator/repository/controller.php' is not properly sanitised before being used to delete files. This can be exploited to delete files with the permissions of the web server via directory traversal sequences passed within the affected POST parameter.Vendor
ImpressPages UAB - http://www.impresspages.orgAffected Version
3.6Tested On
Microsoft Windows 7 Ultimate SP1 (EN)Apache 2.4.2 (Win32)
PHP 5.4.7
MySQL 5.5.25a
Vendor Status
[12.10.2013] Vulnerability discovered.[20.10.2013] Contact with the vendor.
[20.10.2013] Vendor responds asking more details.
[22.10.2013] Sent details to the vendor.
[22.10.2013] Vendor working on reported issue.
[22.10.2013] Asked vendor for estimated timeframe for developing patch.
[24.10.2013] Vendor confirms the issue promising fix.
[29.10.2013] Vendor releases version 3.7 to address this issue.
[31.10.2013] Coordinated public security advisory released.
PoC
impresspages_del.txtCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] http://www.impresspages.org/blog/impresspages-cms-3-7-is-mobile-as-never-before/[2] http://packetstormsecurity.com/files/123872
[3] http://www.osvdb.org/show/osvdb/99222
[4] http://cxsecurity.com/issue/WLB-2013110001
[5] http://www.securityfocus.com/bid/63470
[6] http://www.exploit-db.com/exploits/29328/
[7] http://secunia.com/advisories/55505
Changelog
[31.10.2013] - Initial release[01.11.2013] - Added reference [2], [3], [4] and [5]
[03.11.2013] - Added reference [6]
[04.11.2013] - Added reference [7]
Contact
Zero Science LabWeb: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
