Full Disclosure mailing list archives

By Date By Thread TheHostingTool 1.2.6: Code Execution From: "Curesec Research Team (CRT)" <crt () curesec com>

Date: Tue, 03 Nov 2015 12:00:44 +0100

Security Advisory - Curesec Research Team 1. Introduction Affected Product: TheHostingTool 1.2.6 Fixed in: not fixed Fixed Version Link: n/a Vendor Website: https://thehostingtool.com/ Vulnerability Type: Code Execution Remote Exploitable: Yes Reported to vendor: 09/07/2015 Disclosed to public: 10/07/2015 Release mode: Full Disclosure CVE: n/a Credits Tim Coen of Curesec GmbH 2. Description Themes can be uploaded via a zip file by an admin. The uploader checks the validity of each file with a blacklist. The blacklist misses at least two file types that will lead to code execution: Any file with the extension .pht - which will be executed by most default Apache configuration - and the .htaccess file - which, if parsed by the server, will allow code execution with files with arbitrary extension. It is recommended to use a whitelist instead of a blacklist. Please note that admin credentials are required to exploit this issue. 3. Code lof.php if(preg_match('/^.+\.((?:php[3-5]?)|(?:cgi)|(?:pl)|(?:phtml))$/i', basename($stat['name']), $regs2)) { $errors[] = strtoupper($regs2[1]) . ' is not a valid file type in a theme zip.'; $insecureZip = true; break; } 4. Solution This issue has not been fixed 5. Report Timeline 09/07/2015 Informed Vendor about Issue (no reply) 09/22/2015 Reminded Vendor of disclosure date (no reply) 10/07/2015 Disclosed to public Blog Reference: http://blog.curesec.com/article/blog/TheHostingTool-126-Code-Execution-75.html _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/ By Date By Thread Current thread: TheHostingTool 1.2.6: Code Execution Curesec Research Team (CRT) (Nov 06)