Zenario CMS 9.2 - Insecure file upload (RCE)
|Name||Zenario CMS 9.2 - Insecure file upload (RCE)|
|Kind||Insecure file upload (RCE)|
|Rule||027. Insecure file upload|
|CVSSv3 Base Score||9.1|
Zenario CMS 9.2 allows an authenticated admin user to
bypass the file upload restriction by creating a new
.phar extension. Then an attacker can upload a malicious
file, intercept the request and change the extension to
.phar in order
to run commands on the server.
Proof of Concept
Steps to reproduce
Once login as admin click on 'Go to Organizer'> 'Configuration'.
Select 'File/MIME Types' in the 'Configuration' menu.
Click on 'Create'.
Create a new custom file type using 'phar' as extension and 'text/plain' as MIME Type and then click on 'Save'.
The server validates some malicious extensions but still there are some valid executable extensions. For example 'phar' and 'shtml'.
Create a '.phar' file with the following content.
<?php echo system($_GET['cmd']); ?>
On the admin menu, click on 'Documents'
Click on 'Upload documents'
Click on 'Upload...' and browse the created file.
Select 'Public' and click on 'Save'.
Select the file and click on 'Actions' > 'View public link' in order to get the file location.
Go to the url in the browser.
- Version: Zenario CMS 9.2.
- Operating System: Linux.
- Web Server: Apache
- PHP Version: 7.4
- Database and version: Mysql
There is no exploit for the vulnerability but can be manually exploited.
An updated version of Zenario CMS is available at the vendor page.
The vulnerability was discovered by Oscar
Uribe from the Offensive
Vendor page https://zenar.io/
Patched version https://github.com/TribalSystems/Zenario/releases/tag/9.2.55826
Vendor replied acknowledging the report.