TheHostingTool 1.2.6: Code Execution
Date: 2015-10-07 16:07:401. Introduction
| Affected Product: | TheHostingTool 1.2.6 |
| Fixed in: | not fixed |
| Fixed Version Link: | n/a |
| Vendor Website: | https://thehostingtool.com/ |
| Vulnerability Type: | Code Execution |
| Remote Exploitable: | Yes |
| Reported to vendor: | 09/07/2015 |
| Disclosed to public: | 10/07/2015 |
| Release mode: | Full Disclosure |
| CVE: | n/a |
| Credits | Tim Coen of Curesec GmbH |
2. Description
Themes can be uploaded via a zip file by an admin. The uploader checks the validity of each file with a blacklist.
The blacklist misses at least two file types that will lead to code execution: Any file with the extension .pht - which will be executed by most default Apache configuration - and the .htaccess file - which, if parsed by the server, will allow code execution with files with arbitrary extension. It is recommended to use a whitelist instead of a blacklist.
Please note that admin credentials are required to exploit this issue.
3. Code
lof.php
if(preg_match('/^.+\.((?:php[3-5]?)|(?:cgi)|(?:pl)|(?:phtml))$/i', basename($stat['name']), $regs2)) {
$errors[] = strtoupper($regs2[1]) . ' is not a valid file type in a theme zip.';
$insecureZip = true;
break;
}
4. Solution
This issue has not been fixed
5. Report Timeline
| 09/07/2015 | Informed Vendor about Issue (no reply) |
| 09/22/2015 | Reminded Vendor of disclosure date (no reply) |
| 10/07/2015 | Disclosed to public |