Menu

Improved exploit search engine. Try it out

"Zeta Producer Desktop CMS 14.2.0 - Remote Code Execution / Local File Disclosure"

Author

"SEC Consult"

Platform

php

Release date

2018-07-13

Release Date Title Type Platform Author
2019-07-15 "FlightPath < 4.8.2 / < 5.0-rc2 - Local File Inclusion" webapps php "Mohammed Althibyani"
2019-07-12 "MyT Project Management 1.5.1 - User[username] Persistent Cross-Site Scripting" webapps php "Metin Yunus Kandemir"
2019-07-08 "WordPress Plugin Like Button 1.6.0 - Authentication Bypass" webapps php "Benjamin Lim"
2019-07-08 "Karenderia Multiple Restaurant System 5.3 - SQL Injection" webapps php "Mehmet EMIROGLU"
2019-07-05 "Karenderia Multiple Restaurant System 5.3 - Local File Inclusion" webapps php "Mehmet EMIROGLU"
2019-07-02 "Centreon 19.04 - Remote Code Execution" webapps php Askar
2019-07-01 "ZoneMinder 1.32.3 - Cross-Site Scripting" webapps php "Joey Lane"
2019-07-01 "CiuisCRM 1.6 - 'eventType' SQL Injection" webapps php "Mehmet EMIROGLU"
2019-07-01 "WorkSuite PRM 2.4 - 'password' SQL Injection" webapps php "Mehmet EMIROGLU"
2019-06-28 "LibreNMS 1.46 - 'addhost' Remote Code Execution" webapps php Askar
2019-06-25 "WordPress Plugin Live Chat Unlimited 2.8.3 - Cross-Site Scripting" webapps php m0ze
2019-06-25 "WordPress Plugin iLive 1.0.4 - Cross-Site Scripting" webapps php m0ze
2019-06-25 "AZADMIN CMS 1.0 - SQL Injection" webapps php "felipe andrian"
2019-06-24 "SeedDMS versions < 5.1.11 - Remote Command Execution" webapps php "Nimit Jain"
2019-06-24 "SeedDMS < 5.1.11 - 'out.GroupMgr.php' Cross-Site Scripting" webapps php "Nimit Jain"
2019-06-24 "SeedDMS < 5.1.11 - 'out.UsrMgr.php' Cross-Site Scripting" webapps php "Nimit Jain"
2019-06-24 "dotProject 2.1.9 - SQL Injection" webapps php "Metin Yunus Kandemir"
2019-06-20 "WebERP 4.15 - SQL injection" webapps php "Semen Alexandrovich Lyhin"
2019-06-17 "AROX School-ERP Pro - Unauthenticated Remote Command Execution (Metasploit)" remote php AkkuS
2019-06-12 "FusionPBX 4.4.3 - Remote Command Execution" webapps php "Dustin Cobb"
2019-06-11 "phpMyAdmin 4.8 - Cross-Site Request Forgery" webapps php Riemann
2019-06-11 "WordPress Plugin Insert or Embed Articulate Content into WordPress - Remote Code Execution" webapps php xulchibalraa
2019-06-10 "UliCMS 2019.1 'Spitting Lama' - Persistent Cross-Site Scripting" webapps php Unk9vvN
2019-06-04 "IceWarp 10.4.4 - Local File Inclusion" webapps php JameelNabbo
2019-06-03 "WordPress Plugin Form Maker 1.13.3 - SQL Injection" webapps php "Daniele Scanu"
2019-06-03 "KACE System Management Appliance (SMA) < 9.0.270 - Multiple Vulnerabilities" webapps php SlidingWindow
2019-05-29 "pfSense 2.4.4-p3 (ACME Package 0.59_14) - Persistent Cross-Site Scripting" webapps php "Chi Tran"
2019-05-24 "Opencart 3.0.3.2 - 'extension/feed/google_base' Denial of Service PoC" webapps php "Todor Donev"
2019-05-23 "Nagios XI 5.6.1 - SQL injection" webapps php JameelNabbo
2019-05-22 "Horde Webmail 5.2.22 - Multiple Vulnerabilities" webapps php InfinitumIT
Release Date Title Type Platform Author
2019-05-13 "OpenProject 5.0.0 - 8.3.1 - SQL Injection" webapps php "SEC Consult"
2018-08-16 "Pimcore 5.2.3 - SQL Injection / Cross-Site Scripting / Cross-Site Request Forgery" webapps php "SEC Consult"
2018-07-13 "Zeta Producer Desktop CMS 14.2.0 - Remote Code Execution / Local File Disclosure" webapps php "SEC Consult"
2018-07-13 "WAGO e!DISPLAY 7300T - Multiple Vulnerabilities" webapps php "SEC Consult"
2018-07-05 "ADB Broadband Gateways / Routers - Authorization Bypass" webapps hardware "SEC Consult"
2018-05-16 "RSA Authentication Manager 8.2.1.4.0-build1394922 / < 8.3 P1 - XML External Entity Injection / Cross-Site Flashing / DOM Cross-Site Scripting" webapps java "SEC Consult"
2018-04-24 "WSO2 Carbon / WSO2 Dashboard Server 5.3.0 - Persistent Cross-Site Scripting" webapps java "SEC Consult"
2018-03-13 "SecurEnvoy SecurMail 9.1.501 - Multiple Vulnerabilities" webapps aspx "SEC Consult"
2018-03-05 "ClipBucket < 4.0.0 - Release 4902 - Command Injection / File Upload / SQL Injection" webapps php "SEC Consult"
2017-12-07 "OpenEMR 5.0.0 - OS Command Injection / Cross-Site Scripting" webapps php "SEC Consult"
2017-10-18 "Afian AB FileRun 2017.03.18 - Multiple Vulnerabilities" webapps php "SEC Consult"
2017-10-18 "Linksys E Series - Multiple Vulnerabilities" webapps cgi "SEC Consult"
2017-05-09 "I_ Librarian 4.6/4.7 - Command Injection / Server Side Request Forgery / Directory Enumeration / Cross-Site Scripting" webapps php "SEC Consult"
2017-03-22 "Solare Datensysteme Solar-Log Devices 2.8.4-56/3.5.2-85 - Multiple Vulnerabilities" webapps hardware "SEC Consult"
2017-03-08 "Navetti PricePoint 4.6.0.0 - SQL Injection / Cross-Site Scripting / Cross-Site Request Forgery" webapps multiple "SEC Consult"
2017-03-01 "Aruba AirWave 8.2.3 - XML External Entity Injection / Cross-Site Scripting" webapps xml "SEC Consult"
2016-10-11 "RSA Enterprise Compromise Assessment Tool 4.1.0.1 - XML External Entity Injection" webapps xml "SEC Consult"
2016-07-25 "Micro Focus Filr 2 2.0.0.421/1.2 1.2.0.846 - Multiple Vulnerabilities" webapps java "SEC Consult"
2016-02-10 "Yeager CMS 1.2.1 - Multiple Vulnerabilities" webapps php "SEC Consult"
2015-12-10 "Skybox Platform < 7.0.611 - Multiple Vulnerabilities" webapps hardware "SEC Consult"
2015-06-30 "Polycom RealPresence Resource Manager < 8.4 - Multiple Vulnerabilities" webapps hardware "SEC Consult"
2015-01-26 "Symantec Data Center Security - Multiple Vulnerabilities" webapps multiple "SEC Consult"
2015-01-14 "Ansible Tower 2.0.2 - Multiple Vulnerabilities" webapps multiple "SEC Consult"
2014-12-23 "NetIQ Access Manager 4.0 SP1 - Multiple Vulnerabilities" webapps jsp "SEC Consult"
2014-11-06 "Symantec Endpoint Protection 12.1.4023.4080 - Multiple Vulnerabilities" webapps jsp "SEC Consult"
2014-07-16 "BitDefender GravityZone 5.1.5.386 - Multiple Vulnerabilities" webapps linux "SEC Consult"
2014-07-14 "Shopizer 1.1.5 - Multiple Vulnerabilities" webapps php "SEC Consult"
2014-07-01 "IBM Algorithmics RICOS 4.5.0 < 4.7.0 - Multiple Vulnerabilities" webapps jsp "SEC Consult"
2014-06-09 "WebTitan 4.01 (Build 68) - Multiple Vulnerabilities" webapps php "SEC Consult"
2014-04-24 "WD Arkeia Virtual Appliance 10.2.9 - Local File Inclusion" webapps php "SEC Consult"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/45016/?format=json')
                                                {"url": "https://www.nmmapper.com/api/exploitdetails/45016/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/45016/39957/zeta-producer-desktop-cms-1420-remote-code-execution-local-file-disclosure/download/", "exploit_id": "45016", "exploit_description": "\"Zeta Producer Desktop CMS 14.2.0 - Remote Code Execution / Local File Disclosure\"", "exploit_date": "2018-07-13", "exploit_author": "\"SEC Consult\"", "exploit_type": "webapps", "exploit_platform": "php", "exploit_port": null}
                                            

For full documentation follow the link above

blog comments powered by Disqus

Browse exploit DB API Browse

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
SEC Consult Vulnerability Lab Security Advisory < 20180712-0 >
=======================================================================
              title: Remote Code Execution & Local File Disclosure
            product: Zeta Producer Desktop CMS
 vulnerable version: <=14.2.0
      fixed version: >=14.2.1
         CVE number: CVE-2018-13981, CVE-2018-13980
             impact: critical
           homepage: https://www.zeta-producer.com
              found: 2017-11-25
                 by: P. Morimoto (Office Bangkok)
                     SEC Consult Vulnerability Lab 

                     An integrated part of SEC Consult
                     Europe | Asia | North America

                     https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"With Zeta Producer, the website builder and online shop system for Windows, 
you can create and manage your website locally, on your computer. 
Get without expertise in 3 steps to your own homepage: select design, 
paste content, publish website. Finished."

Source: https://www.zeta-producer.com/de/index.html


Business recommendation:
------------------------
The vendor provides a patched version which should be installed immediately.

Users of the product also need to verify that the affected widgets are updated in
the corresponding website project! It could be necessary to rebuild the whole project
or copy the new widgets to the website projects. For further information consult the
vendor.

Furthermore, an in-depth security analysis is highly advised, as the software may be
affected from further security issues.


Vulnerability overview/description:
-----------------------------------
1) Remote Code Execution (CVE-2018-13981)
The email contact functionality of the widget "formmailer" can upload files
to the server but if the user uploads a PHP script with a .php extension 
then the server will rename it to .phps to prevent PHP code execution.

However, the attacker can upload .php5 or .phtml to the server without any 
restriction. These alternative file extensions can be executed as PHP code. 

Furthermore, the server will create a folder to store the files, with a
random name using PHP's "uniqid" function.

Unfortunately, if the server permits directory listing, the attacker
can easily browse to the uploaded PHP script. If no directory listing is 
enabled the attacker can still bruteforce the random name to gain remote 
code execution via the PHP script as well. Testing on a local server it 
took about 20 seconds to brute force the random name. This attack will 
be slower over the Internet but it is still feasible.

Also, if the user runs the Zeta Producer Desktop CMS GUI client locally,
they are also vulnerable because the web server will be running on TCP port 9153.

The root cause is in the widget "formmailer" which is enabled by default.
The following files are affected:
- /assets/php/formmailer/SendEmail.php
- /assets/php/formmailer/functions.php


2) Local File Disclosure (CVE-2018-13980)
If the user enables the widget "filebrowser" on Zeta Producer Desktop CMS an 
unauthenticated attacker can read local files by exploiting path traversal issues. 

The following files are affected:
- /assets/php/filebrowser/filebrowser.main.php


Proof of concept:
-----------------
1) Remote Code Execution (CVE-2018-13981)
The following python script can be used to exploit the chain of vulnerabilities.
[.. code has been removed to prevent misuses ..]

When the script is executed, a PHP script (shell) will be uploaded automatically.
# $ python exploit.py
# [+] injecting webshell to http://target/assets/php/formmailer/SendEmail.php
#
# 5a1a5bc991afe
# 5a1a5bc99453a
# 10812
# [*] Found :  http://target/assets/php/formmailer/upload_5a1a5bc992772/sectest.php5
# uid=33(www-data) gid=33(www-data) groups=33(www-data)


2) Local File Disclosure (CVE-2018-13980)
The parameter "file" in the "filebrowser.main.php" script can be exploited to read
arbitrary files from the OS with the privileges of the web server user.
Any unauthenticated user can exploit this issue!

http://target/assets/php/filebrowser/filebrowser.main.php?file=../../../../../../../../../../etc/passwd&do=download
http://target/assets/php/filebrowser/filebrowser.main.php?file=../../../../../../../../../../etc&do=list


Vulnerable / tested versions:
-----------------------------
The following versions have been tested which were the latest version available 
at the time of the test:

Zeta Producer Desktop CMS 14.1.0
Zeta Producer Desktop CMS 14.2.0

Source: 
- https://www.zeta-producer.com/de/download.html
- https://github.com/ZetaSoftware/zeta-producer-content/


Vendor contact timeline:
------------------------
2017-11-29: Contacting vendor through info@zeta-producer.com and various other
            email addresses from the website. No reply.
2017-12-13: Contacting vendor again, extending email address list, no reply
2018-01-09: Contacting vendor again
2018-01-10: Vendor replies, requests transmission of security advisory
2018-01-10: Sending unencrypted security advisory
2018-07-02: There was no feedback from the vendor but the version 14.2.1 fixed
            the reported vulnerabilities.
2018-07-12: Public advisory release.


Solution:
---------
Upgrade to version 14.2.1 or newer. See the vendor's download page:

https://www.zeta-producer.com/de/download.html

Users of the product also need to verify that the affected widgets are updated in
the corresponding website project! It could be necessary to rebuild the whole project
or copy the new widgets to the website projects. For further information consult the
vendor.


Workaround:
-----------
Remove "formmailer" and "filebrowser" widgets.


Advisory URL:
-------------
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html