NibbleBlog 4.0.3: Code ExecutionDate: 2015-09-01 10:36:33
|Affected Product:||NibbleBlog 4.0.3|
|Fixed in:||not fixed|
|Fixed Version Link:||n/a|
|Vendor Contact:||Website: http://www.nibbleblog.com/|
|Vulnerability Type:||Code Execution|
|Reported to vendor:||07/21/2015|
|Disclosed to public:||09/01/2015|
|Release mode:||Full Disclosure|
|Credits||Tim Coen of Curesec GmbH|
2. Vulnerability Description
When uploading image files via the "My image" plugin - which is delivered with NibbleBlog by default - , NibbleBlog 4.0.3 keeps the original extension of uploaded files. This extension or the actual file type are not checked, thus it is possible to upload PHP files and gain code execution.
Please note that admin credentials are required.
3. Proof of Concept
- Obtain Admin credentials (for example via Phishing via XSS which can be gained via CSRF, see advisory about CSRF in NibbleBlog 4.0.3)
- Activate My image plugin by visiting http://localhost/nibbleblog/admin.php?controller=plugins&action=install&plugin=my_image
- Upload PHP shell, ignore warnings
- Visit http://localhost/nibbleblog/content/private/plugins/my_image/image.php. This is the default name of images uploaded via the plugin.
This issue was not fixed by the vendor.
5. Report Timeline
|07/21/2015||Informed Vendor about Issue|
|08/18/2015||Reminded Vendor of release date (no reply)|
|09/01/2015||Disclosed to public|