CouchCMS 1.4.5: Code ExecutionDate: 2015-12-21 10:28:55
|Affected Product:||CouchCMS 1.4.5|
|Fixed Version Link:||http://www.couchcms.com/products/|
|Vulnerability Type:||Code Execution|
|Reported to vendor:||11/17/2015|
|Disclosed to public:||12/21/2015|
|Release mode:||Coordinated Release|
|Credits||Tim Coen of curesec GmbH|
High 8.5 AV:N/AC:M/Au:S/C:C/I:C/A:C
When uploading a file, the file extension is checked against a blacklist. This blacklist misses at the least pht, which is executed by most default Apache configurations. The uploaded file must be a valid image file, but an attacker can bypass this restriction.
Admin credentials are required to upload files.
A htaccess file forbids the execution of PHP code in uploaded files, but some servers are configured to not read htaccess files, for example for performance reasons. Apache for example ignores htaccess files by default since version 2.3.9.
3. Proof of Concept
To mitigate this issue please upgrade at least to version 1.4.7:
Please note that a newer version might already be available.
5. Report Timeline
|11/17/2015||Informed Vendor about Issue|
|11/18/2015||Vendor sends fixes for confirmation|
|11/24/2015||Vendor releases fix|
|12/21/2015||Disclosed to public|