Remote Code Execution in Microweber

High-Tech Bridge Security Research Lab discovered vulnerability in Microweber, which can be exploited to delete arbitrary files and compromise vulnerable system as a consequence.

1. Improper Access Control in Microweber: CVE-2013-5984
   Vulnerability exists due to improper access restriction to “/userfiles/modules/admin/backup/delete.php” script and insufficient validation of user-supplied input passed via “file” HTTP GET parameter.
   A remote unauthenticated attacker can delete arbitrary files on the target system with privileges of the web server using directory traversal sequences and NULL byte.
   The exploitation example below deletes the application’s configuration file “config.php”:
   http://[host]/userfiles/modules/admin/backup/delete.php?file=…/…/…/…/…/ config.php%00
   After deletion of the “config.php” file the application will suggest to re-install it from scratch when accessing “/index.php” file. Further exploitation of this vulnerability allows the attacker to reinstall the application and get full administrative access to it.
   After successful re-installation the attacker can use “Admin Console” module of the application to execute arbitrary PHP code on the target system.
   Simple exploit below displays output of “phpinfo()” PHP function after successful re-installation of application:
   POST /module/ HTTP/1.1
   module=admin%2Fconsole%2Fterm&data-type=admin%2Fconsole%2Fterm&i d=mw_exec_term_command&class=+module++&exec_command=cGhwaW5mbw==&exec_comman d_params=MQ%3D%3D