Direkt zum Inhalt
Symbolfoto: Das AIT ist Österreichs größte außeruniversitäre Forschungseinrichtung
AIT Logo Logo AIT Blog - Austrian Insitute of Technology verlinkt zur Startseite des AIT Blog Logo AIT Blog - Austrian Insitute of Technology verlinkt zur Startseite des AIT Blog
Sie befinden sich hier:

Startseite  Themen  Cyber Security  Security Advisories  AIT-SA-20191129-01

AIT-SA-20191129-01

OkayCMS: Unauthenticated remote code execution

Identifier: AIT-SA-20191129-01
Target: OkayCMS
Vendor: OkayCMS
Version: all versions including 2.3.4
CVE: CVE-2019-16885
Accessibility: Local
Severity: Critical
Author: Wolfgang Hotwagner (AIT Austrian Institute of Technology)

 

Summary

OkayCMS is a simple and functional content managment system for an online store.

Vulnerability Description

An unauthenticated attacker can upload a webshell by injecting a malicious php-object via a crafted cookie. This could happen at two places. First in “view/ProductsView.php” using the cookie "price_filter" or in “api/Comparison.php” via the cookie "comparison". Both cookies will pass untrusted values to a unserialize()-function. The following code shows the vulnerability in “api/Comparison.php”:

ERROR: Content Element with uid "46248" and type "ar_codeelem" has no rendering definition!

The unsafe deserialization also occurs in “view/ProductsView.php”:

ERROR: Content Element with uid "46244" and type "ar_codeelem" has no rendering definition!

Proof of Concept

The following code utilizes an object of the smarty-component to delete arbitrary files from the webhost:

ERROR: Content Element with uid "46240" and type "ar_codeelem" has no rendering definition!

Notes

Because of the high severity of this vulnerability we will not release a full exploit for the remote code execution.

Vulnerable Versions

All versions of the “Lite”-branch including 2.3.4. Pro Versions prior 3.0.2 might have been affected too.

Tested Versions

OkayCMS-Lite 2.3.4

Impact

An unauthenticated attacker could upload a webshell to the server and execute commands remotely.

Mitigation

At the moment of this publication the vendor has only patched the paid version of the CMS, so a change to other free software or an upgrade to the Pro version of OkayCMS is recommended.

 

Vendor Contact Timeline

2019-08-29 Contacting the vendor
2019-09-04 Vendor replied
2019-09-17 Vendor released commercial version 3.0.2 including a bugfix
2019-09-29 Public disclosure

Advisory URL

https://www.ait.ac.at/ait-sa-20191129-01-unauthenticated-remote-code-execution-okaycms

Wolfgang Hotwagner

Research Engineer /
Security & Communication Technologies