CVE-2020-2553 Command Injection in CMS Uno a CMS Server
Virsec Security Research Lab Vulnerability Analysis
The Virsec Security Research Lab provides detailed analysis on recent and notable security vulnerabilities.
1.1 Vulnerability Summary
An authenticated attacker can inject malicious code into "lang" parameter in /uno/central.php file in CMS Uno 1.6.2 and run this PHP code in the web page. In this way, attacker can take over the control of the server.
As Fatih Çelik of Bilishim, Turkey read through the code in the file /uno/central.php file,
He realized that code on this page will be imported into the uno.php page and that an attacker could then run the code running on the server. He discovered that by sending a specially crafted “POST” request to config.php and embedding an OS Command into the “lang” parameter on this page, he could perform OS Command Injection. He sent a NetCat command and was able to establish a reverse shell.
Watch the video to learn more about this and other important vulnerabilities.
1.2 CVSS Score
The CVSS Base Score is 8.8 (High)
1.3 Affected Version
Uno v1.6.2 is affected
1.4 Vulnerability Attribution
Fatih Çelik of Bilishim, Turkey
1.5 Risk Impact
Many consider Uno CMS as a superfast CMS that has many plugins. It is a very popular CMS on Azure. Uno CMS is particularly suitable for building websites that need to be accessed on touch screens. Websites built on Uno CMS are easy to navigate and use. Plugins can easily be configured to make themes and sites highly effective. As a result, CMS Uno has a good-sized footprint. The attacker now can run arbitrary code on the remote end point. Fatih Çelik has posted a public exploit here.
1.6 Virsec Security Platform (VSP) Support
The Virsec Security Platform (VSP)- Web can detect command injection attacks reliably and can save its customers from this type of attack.
1.7 Reference Links
Download the full vulnerability report to learn more about this and other important vulnerabilities.