NibbleBlog 4.0.3: Code Execution Security Advisory – Curesec Research Team 1. Introduction Affected Product: NibbleBlog 4.0.3 Fixed in: not fixed Fixed Version Link: n/a Vendor Contact: Website: http://www.nibbleblog.com/ Vulnerability Type: Code Execution Remote Exploitable: Yes Reported to vendor: 07/21/2015 Disclosed to public: 09/01/2015 Release mode: Full Disclosure CVE: n/a Credits Tim Coen of Curesec GmbH 2. Vulnerability Description When uploading image files via the "My image" plugin - which is delivered with NibbleBlog by default - , NibbleBlog 4.0.3 keeps the original extension of uploaded files. This extension or the actual file type are not checked, thus it is possible to upload PHP files and gain code execution. Please note that admin credentials are required. 3. Proof of Concept Obtain Admin credentials (for example via Phishing via XSS which can be gained via CSRF, see advisory about CSRF in NibbleBlog 4.0.3) Activate My image plugin by visiting http://localhost/nibbleblog/admin.php?controller=plugins&action=install&plugin=my_image Upload PHP shell, ignore warnings Visit http://localhost/nibbleblog/content/private/plugins/my_image/image.php. This is the default name of images uploaded via the plugin. 4. Code if( $plugin->init_db() ) { // upload files foreach($_FILES as $field_name=>$file) { $extension = strtolower(pathinfo($file['name'], PATHINFO_EXTENSION)); $destination = PATH_PLUGINS_DB.$plugin->get_dir_name(); $complete = $destination.'/'.$field_name.'.'.$extension; // Upload the new file and move if(move_uploaded_file($file["tmp_name"], $complete)) { // Resize images if requested by the plugin if(isset($_POST[$field_name.'_resize'])) { $width = isset($_POST[$field_name.'_width'])?$_POST[$field_name.'_width']:200; $height = isset($_POST[$field_name.'_height'])?$_POST[$field_name.'_height']:200; $option = isset($_POST[$field_name.'_option'])?$_POST[$field_name.'_option']:'auto'; $quality = isset($_POST[$field_name.'_quality'])?$_POST[$field_name.'_quality']:100; $Resize->setImage($complete, $width, $height, $option); $Resize->saveImage($complete, $quality, true); } } } unset($_POST['plugin']); // update fields $plugin->set_fields_db($_POST); Session::set_alert($_LANG['CHANGES_HAS_BEEN_SAVED_SUCCESSFULLY']); } } 5. Solution This issue was not fixed by the vendor. 6. Report Timeline 07/21/2015 Informed Vendor about Issue 07/22/2015 Vendor Replied 08/18/2015 Reminded Vendor of release date (no reply) 09/01/2015 Disclosed to public 7. Blog Reference http://blog.curesec.com/article/blog/NibbleBlog-403-Code-Execution-47.html