Microweber v1.0.3 File Upload Filter Bypass Remote PHP Code Execution
Title: Microweber v1.0.3 File Upload Filter Bypass Remote PHP Code Execution
Advisory ID: ZSL-2015-5250
Type: Local/Remote
Impact: System Access
Risk: (4/5)
Release Date: 04.08.2015
PHP 5.6.3
MySQL 5.6.21
[12.07.2015] Initial contact with the vendor.
[13.07.2015] Vendor responds asking more details.
[13.07.2015] Sent details to the vendor.
[13.07.2015] Vendor replies with confirmation of the issue developing fixed version 1.0.4.
[04.08.2015] Vendor releases official new version (1.0.4).
[04.08.2015] Coordinated public security advisory released.
[2] https://microweber.com/list-of-contributors
[3] http://cxsecurity.com/issue/WLB-2015080029
[4] https://www.exploit-db.com/exploits/37735/
[5] https://packetstormsecurity.com/files/132970
[6] https://exchange.xforce.ibmcloud.com/vulnerabilities/105422
[09.08.2015] - Added reference [4] and [5]
[13.08.2015] - Added reference [6]
Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2015-5250
Type: Local/Remote
Impact: System Access
Risk: (4/5)
Release Date: 04.08.2015
Summary
Microweber is an open source drag and drop PHP/Laravel CMS licensed under Apache License, Version 2.0 which allows you to create your own website, blog or online shop.Description
Microweber suffers from an authenticated arbitrary command execution vulnerability. The issue is caused due to the improper verification when uploading files in '/src/Microweber/functions/plupload.php' script. This can be exploited to execute arbitrary PHP code by bypassing the extension restriction by putting the dot character at the end of the filename and uploading a malicious PHP script file that will be stored in '/userfiles/media/localhost/uploaded' directory.Vendor
Microweber Team - http://www.microweber.comAffected Version
1.0.3Tested On
Apache 2.4.10 (Win32)PHP 5.6.3
MySQL 5.6.21
Vendor Status
[12.07.2015] Vulnerability discovered.[12.07.2015] Initial contact with the vendor.
[13.07.2015] Vendor responds asking more details.
[13.07.2015] Sent details to the vendor.
[13.07.2015] Vendor replies with confirmation of the issue developing fixed version 1.0.4.
[04.08.2015] Vendor releases official new version (1.0.4).
[04.08.2015] Coordinated public security advisory released.
PoC
microweber_upload.txtCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] https://github.com/microweber/microweber/blob/master/CHANGELOG.md[2] https://microweber.com/list-of-contributors
[3] http://cxsecurity.com/issue/WLB-2015080029
[4] https://www.exploit-db.com/exploits/37735/
[5] https://packetstormsecurity.com/files/132970
[6] https://exchange.xforce.ibmcloud.com/vulnerabilities/105422
Changelog
[04.08.2015] - Initial release[09.08.2015] - Added reference [4] and [5]
[13.08.2015] - Added reference [6]
Contact
Zero Science LabWeb: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk