
appRain 4.0.3: Code Execution
Date: 2015-12-02 10:08:111. Introduction
Affected Product: | appRain 4.0.3 |
Fixed in: | not fixed |
Fixed Version Link: | n/a |
Vendor Website: | info@apprain.com |
Vulnerability Type: | Code Execution |
Remote Exploitable: | Yes |
Reported to vendor: | 10/02/2015 |
Disclosed to public: | 12/02/2015 |
Release mode: | Full Disclosure |
CVE: | requested, but not assigned |
Credits | Tim Coen of Curesec GmbH |
2. Overview
appRain is described as a Content Management Framework written in PHP.
There are various components of appRain 4.0.3 that should not provide the possibility of code execution or arbitrary file upload but do allow it.
All of these issues are by default present in the admin area. It should be noted that admins already have code execution via a designated PHP file editor.
Still, the code of appRain is explicitly intended to be extended by its users, which means that components such as a seemingly secure file uploader, an image uploader, or a function decoding json should not lead to code execution.
3. Unrestricted Upload of File with Dangerous Type 1
CVSS
High 9.0 AV:N/AC:L/Au:S/C:C/I:C/A:C
Description
The file upload uses a blacklist for the file extension to forbid the upload of files with dangerous type. The disallowed extensions are:
php,php3,php4,exe,pl,py,bat,sys,dev,sh
However, files that can be uploaded and that also lead to code execution are .htaccess, as well as files with extension pht, php5, and phtml.
The file upload can be found here:
http://localhost/apprain/admin/filemanager
An admin account is required to use the file manager. It should be noted that an admin already has code execution via the designated PHP file editor. Still, this is an access violation in the context of this component and will also be an issue if users reuse the varifyFileName function in different contexts, which is to be expected.
Code
4. Unrestricted Upload of File with Dangerous Type 2
CVSS
High 9.0 AV:N/AC:L/Au:S/C:C/I:C/A:C
Description
When creating a new slide, the label suggests that only images with extensions "*.jpeg, *.gif" may be uploaded. However, arbitrary files can be uploaded, including .php or .pht files.
An admin account is required to create new slides. It should be noted that an admin already has code execution via the designated PHP file editor. Still, this is an access violation in the context of this component and may also be an issue if users reuse the involved functions in different contexts.
Proof of Concept
5. Possibly Code Execution
CVSS
High 7.6AV:N/AC:H/Au:N/C:C/I:C/A:C
Description
appRain is described as "Content Management Framework", and as such, it is to be expected that public functions are reused in different contexts and should thus be secure.
If the function to decode json is used as described in the documentation, it will be unsecure if user input is passed to it, which is a likely scenario. This is also how it seems to be used by deletegroupAction, which is currently not used anywhere. If a user actually uses either of these functions, the code would likely be vulnerable.
Proof of Concept
Code
6. Solution
This issue was not fixed by the vendor.
7. Report Timeline
10/02/2015 | Informed Vendor. Mailbox info@apprain.com is full, used security@apprain.com instead (no reply) |
10/21/2015 | Reminded Vendor of Disclosure Date |
10/21/2015 | Vendor anounces fix for 11/02/2015 |
11/04/2015 | No fix released, extended public disclosure date to 11/11/2015 |
11/05/2015 | Vendor asks for list of organizations that may help implementing fixes |
11/11/2015 | Replied that we do not have lists, and that we do not have the resources to implement fixes ourselves. Extended release date to 11/18/2015 and offered further extension if needed (no reply) |
11/17/2015 | CVE Requested (no reply) |
11/24/2015 | Reminded Vendor of release date, extended date to 12/02/2015 and offered extension if needed (no reply) |
12/02/2015 | Disclosed to public |