Security Advisory - Curesec Research Team 1. Introduction Affected Product: TheHostingTool 1.2.6 Fixed in: not fixed Fixed Version Link: n/a Vendor Website: http://ift.tt/1PfEAu7 Vulnerability Type: Code Execution Remote Exploitable: Yes Reported to vendor: 09/07/2015 Disclosed to public: 10/07/2015 Release mode: Full Disclosure CVE: n/a Credits Tim Coen of Curesec GmbH 2. Description Themes can be uploaded via a zip file by an admin. The uploader checks the validity of each file with a blacklist. The blacklist misses at least two file types that will lead to code execution: Any file with the extension .pht - which will be executed by most default Apache configuration - and the .htaccess file - which, if parsed by the server, will allow code execution with files with arbitrary extension. It is recommended to use a whitelist instead of a blacklist. Please note that admin credentials are required to exploit this issue. 3. Code lof.php if(preg_match('/^.+\.((?:php[3-5]?)|(?:cgi)|(?:pl)|(?:phtml))$/i', basename($stat['name']), $regs2)) { $errors[] = strtoupper($regs2[1]) . ' is not a valid file type in a theme zip.'; $insecureZip = true; break; } 4. Solution This issue has not been fixed 5. Report Timeline 09/07/2015 Informed Vendor about Issue (no reply) 09/22/2015 Reminded Vendor of disclosure date (no reply) 10/07/2015 Disclosed to public Blog Reference: http://ift.tt/1MgGIMt
Source: Gmail -> IFTTT-> Blogger
No comments:
Post a Comment