Bolt 2.2.4: Code Execution
Date: 2015-08-17 09:30:211. Introduction
| Affected Product: | Bolt 2.2.4 |
| Fixed in: | 2.2.5 |
| Fixed Version Link: | http://bolt.cm/distribution/archive/bolt-2.2.5.zip |
| Vendor Contact: | Website: https://bolt.cm |
| Vulnerability Type: | Code Execution |
| Remote Exploitable: | Yes |
| Reported to vendor: | 07/14/2015 |
| Disclosed to public: | 08/17/2015 |
| Release mode: | Coordinated release |
| CVE: | CVE-2015-7309 |
| Google Dork: | "This website is Built with Bolt" (About 11,100 results) |
| Credits | Tim Coen of Curesec GmbH |
2. Vulnerability Description
The Bolt CMS does not allow the upload or editing of PHP files in its admin area, which should prevent code execution once an attacker gained admin credentials.
However, when uploading, the actual file type is not checked. The theme editor allows for the renaming of uploaded files, and it does not check the file extension or file type when doing so. Because of this, an attacker can gain code execution.
Please note that admin credentials are required.
3. Proof of Concept
- Visit theme editor: http://localhost/bolt-git-2015-06-25-05c29bf/bolt/files/theme/base-2014
- Upload or edit any existing file with allowed extension to contain <?php passthru($_GET['e']);
- Rename the file, giving it an extension that will make it executable, eg .php
The file will not be shown in the theme editor anymore, because PHP files are not shown, but it will be accessible via eg http://localhost/bolt-git-2015-06-25-05c29bf/theme/base-2014/README.php
4. Solution
To mitigate this issue please upgrade at least to version 2.2.5:
http://bolt.cm/distribution/archive/bolt-2.2.5.zip
Please note that a newer version might already be available.
5. Report Timeline
| 07/14/2015 | Informed Vendor about Issue |
| 07/24/2015 | Vendor releases Version 4.2.3 |
| 08/17/2015 | Disclosed to public |