NibbleBlog 4.0.3 - Code Execution - Not fixed

["Curesec Research Team (CRT)" <crt () curesec com>]

NibbleBlog 4.0.3: Code Execution
Security Advisory – Curesec Research Team

1. Introduction

Affected Product:       NibbleBlog 4.0.3        
Fixed in:               not fixed
Fixed Version Link:     n/a     
Vendor Contact:         Website: http://www.nibbleblog.com/     
Vulnerability Type:     Code Execution  
Remote Exploitable:     Yes     
Reported to vendor:     07/21/2015      
Disclosed to public:    09/01/2015      
Release mode:           Full Disclosure 
CVE:                    n/a     
Credits                 Tim Coen of Curesec GmbH        

2. Vulnerability Description

When uploading image files via the "My image" plugin - which is
delivered with NibbleBlog by default - , NibbleBlog 4.0.3 keeps the
original extension of uploaded files. This extension or the actual file
type are not checked, thus it is possible to upload PHP files and gain
code execution.

Please note that admin credentials are required.

3. Proof of Concept

    Obtain Admin credentials (for example via Phishing via XSS which can
be gained via CSRF, see advisory about CSRF in NibbleBlog 4.0.3)
    Activate My image plugin by visiting
http://localhost/nibbleblog/admin.php?controller=plugins&action=install&plugin=my_image
    Upload PHP shell, ignore warnings
    Visit
http://localhost/nibbleblog/content/private/plugins/my_image/image.php.
This is the default name of images uploaded via the plugin.

4. Code


                if( $plugin->init_db() )
                {
                        // upload files
                        foreach($_FILES as $field_name=>$file)
                        {
                                $extension = strtolower(pathinfo($file['name'],
PATHINFO_EXTENSION));
                                $destination = PATH_PLUGINS_DB.$plugin->get_dir_name();
                                $complete = $destination.'/'.$field_name.'.'.$extension;

                                // Upload the new file and move
                                if(move_uploaded_file($file["tmp_name"], $complete))
                                {
                                        // Resize images if requested by the plugin
                                        if(isset($_POST[$field_name.'_resize']))
                                        {
                                                $width =
isset($_POST[$field_name.'_width'])?$_POST[$field_name.'_width']:200;
                                                $height =
isset($_POST[$field_name.'_height'])?$_POST[$field_name.'_height']:200;
                                                $option =
isset($_POST[$field_name.'_option'])?$_POST[$field_name.'_option']:'auto';
                                                $quality =
isset($_POST[$field_name.'_quality'])?$_POST[$field_name.'_quality']:100;

                                                $Resize->setImage($complete, $width, $height, $option);
                                                $Resize->saveImage($complete, $quality, true);
                                        }
                                }
                        }

                        unset($_POST['plugin']);

                        // update fields
                        $plugin->set_fields_db($_POST);

                        Session::set_alert($_LANG['CHANGES_HAS_BEEN_SAVED_SUCCESSFULLY']);
                }
        }

5. Solution

This issue was not fixed by the vendor.

6. Report Timeline

07/21/2015      Informed Vendor about Issue
07/22/2015      Vendor Replied
08/18/2015      Reminded Vendor of release date (no reply)
09/01/2015      Disclosed to public

7. Blog Reference
http://blog.curesec.com/article/blog/NibbleBlog-403-Code-Execution-47.html

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/