GilaCMS 1.11.8 – ‘/cm/delete?t=’ LFI (Local File Inclusion) and RCE

Product Owner: GilaCMS

Application Name: GilaCMS 1.11.8

CVE ID: CVE-2020-5513

Type: Installable/Customer-Controlled Application

Application Release Date: 4th December,2019

Severity: Critical

Authentication: Required

Complexity: Easy

Vulnerability Name: Local File Inclusion in ‘/cm/delete?t=’

Vulnerability Explanation: The File Inclusion vulnerability allows an attacker to include a file, usually exploiting a “dynamic file inclusion” mechanisms implemented in the target application.

Request:
POST /gilacms/cm/delete?t={INJECTION_POINT} HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------191691572411478
Content-Length: 258
Origin: http://localhost
Connection: close
Referer: http://localhost/gilacms/admin/content/post
Cookie: GSESSIONID=1lnubi23gip8tg9ue4gt6xtjatdgf7crevfwb8ovpl2g7dzau6; media_tab=assets; media_path=assets; asset_path=src%2Fcore%2Fassets

Verified In:
Firefox 71.0 (64-bit)
Windows 10
Hosted using XAMPP v3.2.4

Steps to Reproduce:
1. Login to the GilaCMS application as admin.
2. Create a new post and save it (http://localhost/gilacms/admin/content/post)

3. Now click on the delete icon for any of the post created and intercept the request sent to the web server using a proxy such as Burp Suite

4. The request sent to web server for deleting the post:

5. On changing the value of ‘t’ parameter to ‘../../../../../../../../WINDOWS/win.ini’ and forwarding the request, we get the contents of the win.ini file in the response.

Video POC for LFI:

Using LFI to perform Remote Code Execution:
1. Go to http://localhost/gilacms/admin/media and upload an image file.

2. Intercept the request using a proxy and change the image content to the following PHP code.

3. The image gets uploaded successfully and the images are stored in the assets folder.

4. Now using the already found LFI vulnerability, change the ‘t’ parameter to the path where the image (test.jpg) we uploaded is stored.

5. The PHP code gets executed and ‘It works’ gets echoed and printed in the response. Now adding another parameter (‘c’) to the request, we can perform command execution

Video POC on exploiting LFI & RCE to get a reverse shell:

Vulnerable Code:

Reference:
Website: https://gilacms.com/
GitHub Repository: https://github.com/GilaCMS/gila
Download Version: https://github.com/GilaCMS/gila/releases/tag/1.11.8

GilaCMS 1.11.8 – Remote Code Execution

Product Owner: GilaCMS

Application Name: GilaCMS 1.11.8

CVE ID: CVE-2020-5514

Type: Installable/Customer-Controlled Application

Application Release Date: 4th December,2019

Severity: Critical

Authentication: Required

Complexity: Easy

Vulnerability Name: Remote Code Execution

Vulnerability Explanation: Remote Code Evaluation is a vulnerability that can be exploited if user input is injected into a File or a String and executed (evaluated) by the programming language’s parser.

Verified In:
Mozilla Firefox 68.2.0esr (64-bit)
Kali Linux 2019.4
Hosted using Apache/2.4.41 (Debian)

Request:
GET /gilacms/lzld/thumb?src={URL_OF_PHP_FILE_TO_UPLOAD}&media_thumb=80 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/gilacms/admin/content/post
Connection: close
Cookie: GSESSIONID=1pz8sgcaj9w4btmw1lrs07sjpw0tv772n9rf6jkd0wlod37sra; media_tab=assets; media_path=assets; asset_path=src%2Fcore%2Fassets
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0

Steps to Reproduce:
1. Login to the GilaCMS application as admin.
2. Go to http://localhost/gila/admin/content/post.
3. Right Click on the thumbnail image and click ‘View Image’

4. From the Image URL we can see that the image path given in ‘src’ parameter is displayed to us.

5. Host an image file in another machine using xampp web server (http://192.168.1.108/poc/)

6. When the ‘src’ parameter is set a remote image URL, the image is displayed to us. Additionally, the same image is downloaded and stored in the /tmp/ and then moved to /tmp/media_thumb/ folder

7. Trying to access the image file directly from the web browser using the absolute path from the webroot, we can see that the image is present and gets displayed.

8. Now setting the ‘src’ parameter to a remote PHP file, the PHP file is downloaded and stored in the /tmp/ but not moved to /tmp/media_thumb/ folder.

9. Trying to access the PHP file directly from the web browser, we get a ‘Forbidden’ error. That is because of the .htaccess file present in the directory which blocks *.php file.

10. In order to bypass that we can instead upload .phar or .phtml file.

11. On accessing the upload .phar file in a web browser, the PHP code gets executed

12. By passing an additional ‘c’ parameter with the command to execute, we can run system commands.

Note:
The web server configuration should support other extensions such as .phar, .phtml in order for this to be exploited.

Video POC:

Vulnerable Code:
The user input (remote url to the php file) sent in ‘src’ parameter is stored in a variable named ‘file’ (Line No: 31) and passed to a function ‘thumb’ of class ‘view’ (Line No: 35).

The ‘src’ variable which stores the user input is passed to ‘make_thumb’ function of class ‘image’ (Line No: 407) since the check for if the file already exists return false.

The ‘src’ variable is again passed to another function ‘local_path’ (Line No: 15).

The ‘_src’ variable stores the destination location where the file is to be stored (Line No: 171). The output filename is generated from ‘src’ variable replacing certain characters with an ‘_’. The built-in PHP function ‘copy’ is used to copy the contents of the remote file location stored in variable ‘src’ to the local file location stored in ‘_src’ (Line No: 176). No validation/checks are performed on the file being saved to the tmp/ directory.

Reference:
Website: https://gilacms.com/
GitHub Repository: https://github.com/GilaCMS/gila
Download Version: https://github.com/GilaCMS/gila/releases/tag/1.11.8

GilaCMS 1.11.8 – ‘/admin/sql?query=’ SQL Injection

Product Owner: GilaCMS

Application Name: GilaCMS 1.11.8

CVE ID: CVE-2020-5515

Type: Installable/Customer-Controlled Application

Application Release Date: 4th December,2019

Severity: High

Authentication: Required

Complexity: Easy

Vulnerability Name: SQL Injection in ‘/admin/sql?query=’

Vulnerability Explanation: SQL injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database.

Verified In:
Firefox 71.0 (64-bit)
Windows 10
Hosted using XAMPP v3.2.4

Request:
GET /gilacms/admin/sql?query={INJECTION_POINT} HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: GSESSIONID=1za7iusvgawzjs936iegtmmtwfghbbp6ectnugwb0clvc0z37u
Upgrade-Insecure-Requests: 1

Steps to Reproduce:
1. Login to the GilaCMS application as admin.
2. Visit the following page: http://localhost/gilacms/admin/sql

3. Click on ‘Show Tables’. It takes us to http://localhost/gilacms/admin/sql?query=SHOW%20TABLES

4. The ‘query’ parameter is vulnerable to SQL injection (Inline Queries)
http://localhost/gilacms/admin/sql?query=SELECT VERSION(),USER()

http://localhost/gilacms/admin/sql?query=SELECT * FROM user

Vulnerable Code:
The ‘query’ parameter sent in the GET request (http://localhost/gilacms/admin/sql) is vulnerable to SQL Injection.

Reference:
Website: https://gilacms.com/
GitHub Repository: https://github.com/GilaCMS/gila
Download Version: https://github.com/GilaCMS/gila/releases/tag/1.11.8

GilaCMS 1.11.8 – ‘/admin/media?path=’ Directory Traversal

Product Owner: GilaCMS

Application Name: GilaCMS 1.11.8

CVE ID: CVE-2020-5512

Type: Installable/Customer-Controlled Application

Application Release Date: 4th December,2019

Severity: Medium

Authentication: Required

Complexity: Easy

Vulnerability Name: Directory Traversal in ‘/admin/media?path=’

Vulnerability Explanation: Directory traversal is a web security vulnerability that allows an attacker to read arbitrary files on the server that is running an application.

Verified In:
Firefox 71.0 (64-bit)
Windows 10
Hosted using XAMPP v3.2.4

Request:
POST /gilacms/admin/media HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-type: application/x-www-form-urlencoded
Content-Length: 39
Origin: http://localhost
Connection: close
Referer: http://localhost/gilacms/admin/content/post
Cookie: GSESSIONID=1atvstbcjvlrv6gsdkk4lr3392otw7x4ovt70cs1fli29xkup9; media_tab=assets; media_path=assets; asset_path=src

g_response=content&path={INJECTION_POINT}

Steps to Reproduce:
1. Login to the GilaCMS application as admin.

2. Visit the following page: http://localhost/gilacms/admin/content/post

3. Click on thumbnail option where you can upload a new image or select an image from the media gallery.

4. Click on Media Gallery option on the left side menu.

5. Click on either of the folder and intercept the request that is being sent to the web server using a proxy such as Burp Suite and change the ‘path’ parameter value to ‘/../../../../../’ ( path=/../../../../../ ) and forward the request

6. Now in the web application you can see the directories present in the root directory of the file system (C:\ drive in my case as I have hosted the application in Windows using xampp)

Vulnerable Code:
The ‘path’ parameter sent in the POST request (http://localhost/gilacms/admin/media) is vulnerable to Directory traversal.

Reference:
Website: https://gilacms.com/
GitHub Repository: https://github.com/GilaCMS/gila
Download Version: https://github.com/GilaCMS/gila/releases/tag/1.11.8