OkayCMS: Unauthenticated remote code execution
Identifier: AIT-SA-20191129-01
Target: OkayCMS
Vendor: OkayCMS
Version: all versions including 2.3.4
CVE: CVE-2019-16885
Accessibility: Local
Severity: Critical
Author: Wolfgang Hotwagner (AIT Austrian Institute of Technology)
Summary
OkayCMS is a simple and functional content managment system for an online store.
Vulnerability Description
An unauthenticated attacker can upload a webshell by injecting a malicious php-object via a crafted cookie. This could happen at two places. First in “view/ProductsView.php” using the cookie "price_filter" or in “api/Comparison.php” via the cookie "comparison". Both cookies will pass untrusted values to a unserialize()-function. The following code shows the vulnerability in “api/Comparison.php”:
ERROR: Content Element with uid "46248" and type "ar_codeelem" has no rendering definition!
The unsafe deserialization also occurs in “view/ProductsView.php”:
ERROR: Content Element with uid "46244" and type "ar_codeelem" has no rendering definition!
Proof of Concept
The following code utilizes an object of the smarty-component to delete arbitrary files from the webhost:
ERROR: Content Element with uid "46240" and type "ar_codeelem" has no rendering definition!
Notes
Because of the high severity of this vulnerability we will not release a full exploit for the remote code execution.
Vulnerable Versions
All versions of the “Lite”-branch including 2.3.4. Pro Versions prior 3.0.2 might have been affected too.
Tested Versions
OkayCMS-Lite 2.3.4
Impact
An unauthenticated attacker could upload a webshell to the server and execute commands remotely.
Mitigation
At the moment of this publication the vendor has only patched the paid version of the CMS, so a change to other free software or an upgrade to the Pro version of OkayCMS is recommended.
Vendor Contact Timeline
2019-08-29 | Contacting the vendor |
2019-09-04 | Vendor replied |
2019-09-17 | Vendor released commercial version 3.0.2 including a bugfix |
2019-09-29 | Public disclosure |
Advisory URL
https://www.ait.ac.at/ait-sa-20191129-01-unauthenticated-remote-code-execution-okaycms