CouchCMS 1.4.5: Code Execution
Date: 2015-12-21 10:28:551. Introduction
| Affected Product: | CouchCMS 1.4.5 |
| Fixed in: | 1.4.7 |
| Fixed Version Link: | http://www.couchcms.com/products/ |
| Vendor Website: | http://www.couchcms.com/ |
| Vulnerability Type: | Code Execution |
| Remote Exploitable: | Yes |
| Reported to vendor: | 11/17/2015 |
| Disclosed to public: | 12/21/2015 |
| Release mode: | Coordinated Release |
| CVE: | n/a |
| Credits | Tim Coen of Curesec GmbH |
2. Overview
CVSS
High 8.5 AV:N/AC:M/Au:S/C:C/I:C/A:C
Description
When uploading a file, the file extension is checked against a blacklist. This blacklist misses at the least pht, which is executed by most default Apache configurations. The uploaded file must be a valid image file, but an attacker can bypass this restriction.
Admin credentials are required to upload files.
A htaccess file forbids the execution of PHP code in uploaded files, but some servers are configured to not read htaccess files, for example for performance reasons. Apache for example ignores htaccess files by default since version 2.3.9.
3. Proof of Concept
4. Solution
To mitigate this issue please upgrade at least to version 1.4.7:
http://www.couchcms.com/products/
Please note that a newer version might already be available.
5. Report Timeline
| 11/17/2015 | Informed Vendor about Issue |
| 11/18/2015 | Vendor sends fixes for confirmation |
| 11/20/2015 | Verified fixes |
| 11/24/2015 | Vendor releases fix |
| 12/21/2015 | Disclosed to public |