Zenario CMS 9.2 - Insecure file upload (RCE)

Summary

Vulnerability

Description

Zenario CMS 9.2 allows an authenticated admin user to bypass the file upload restriction by creating a new File/MIME Types using the .phar extension. Then an attacker can upload a malicious file, intercept the request and change the extension to .phar in order to run commands on the server.

Proof of Concept

Steps to reproduce

1. Once login as admin click on 'Go to Organizer'> 'Configuration'.

2. Select 'File/MIME Types' in the 'Configuration' menu.

3. Click on 'Create'.

4. Create a new custom file type using 'phar' as extension and 'text/plain' as MIME Type and then click on 'Save'.

   The server validates some malicious extensions but still there are some valid executable extensions. For example 'phar' and 'shtml'.

5. Create a '.phar' file with the following content.

   <?php echo system($_GET['cmd']); ?>
   

6. On the admin menu, click on 'Documents'

7. Click on 'Upload documents'

8. Click on 'Upload...' and browse the created file.

9. Select 'Public' and click on 'Save'.

10. Select the file and click on 'Actions' > 'View public link' in order to get the file location.

11. Go to the url in the browser.

System Information

• Version: Zenario CMS 9.2.
• Operating System: Linux.
• Web Server: Apache
• PHP Version: 7.4
• Database and version: Mysql

Exploit

There is no exploit for the vulnerability but can be manually exploited.

Mitigation

An updated version of Zenario CMS is available at the vendor page.

Credits

The vulnerability was discovered by Oscar Uribe from the Offensive Team of Fluid Attacks.

References

Vendor page https://zenar.io/

Patched version https://github.com/TribalSystems/Zenario/releases/tag/9.2.55826

Timeline