Search

Penetration
Testing

AIT-SA-20191129-01

OkayCMS: Unauthenticated remote code execution

Identifier: AIT-SA-20191129-01
Target: OkayCMS
Vendor: OkayCMS
Version: all versions including 2.3.4
CVE: CVE-2019-16885
Accessibility: Local
Severity: Critical
Author: Wolfgang Hotwagner (AIT Austrian Institute of Technology)

SUMMARY

VULNERABILITY DESCRIPTION

An unauthenticated attacker can upload a webshell by injecting a malicious php-object via a crafted cookie. This could happen at two places. First in “view/ProductsView.php” using the cookie “price_filter” or in “api/Comparison.php” via the cookie “comparison”. Both cookies will pass untrusted values to a unserialize()-function. The following code shows the vulnerability in “api/Comparison.php”:

ERROR: Content Element with uid “46248” and type “ar_codeelem” has no rendering definition!

The unsafe deserialization also occurs in “view/ProductsView.php”:

ERROR: Content Element with uid “46244” and type “ar_codeelem” has no rendering definition!

PROOF OF CONCEPT

The following code utilizes an object of the smarty-component to delete arbitrary files from the webhost:

ERROR: Content Element with uid “46240” and type “ar_codeelem” has no rendering definition!

Notes

Because of the high severity of this vulnerability we will not release a full exploit for the remote code execution.

VULNERABLE VERSIONS

All versions of the “Lite”-branch including 2.3.4. Pro Versions prior 3.0.2 might have been affected too.

TESTED VERSIONS

OkayCMS-Lite 2.3.4

IMPACT

An unauthenticated attacker could upload a webshell to the server and execute commands remotely.

MITIGATION

At the moment of this publication the vendor has only patched the paid version of the CMS, so a change to other free software or an upgrade to the Pro version of OkayCMS is recommended.

VENDOR CONTACT TIMELINE

ADVISORY URL

WOLFGANG HOTWAGNER

Research Engineer /
Security & Communication Technologies