lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <0MOzJP-1Zr4t01vPj-006KdT@mrelayeu.kundenserver.de>
Date: Tue, 03 Nov 2015 12:00:44 +0100
From: "Curesec Research Team (CRT)" <crt@...esec.com>
To: fulldisclosure@...lists.org
Subject: [FD] TheHostingTool 1.2.6: Code Execution

Security Advisory - Curesec Research Team

1. Introduction

Affected Product:    TheHostingTool 1.2.6
Fixed in:            not fixed
Fixed Version Link:  n/a
Vendor Website:      https://thehostingtool.com/
Vulnerability Type:  Code Execution
Remote Exploitable:  Yes
Reported to vendor:  09/07/2015
Disclosed to public: 10/07/2015
Release mode:        Full Disclosure
CVE:                 n/a
Credits              Tim Coen of Curesec GmbH

2. Description

Themes can be uploaded via a zip file by an admin. The uploader checks the
validity of each file with a blacklist.

The blacklist misses at least two file types that will lead to code execution:
Any file with the extension .pht - which will be executed by most default
Apache configuration - and the .htaccess file - which, if parsed by the server,
will allow code execution with files with arbitrary extension. It is
recommended to use a whitelist instead of a blacklist.

Please note that admin credentials are required to exploit this issue.

3. Code


    lof.php
    if(preg_match('/^.+\.((?:php[3-5]?)|(?:cgi)|(?:pl)|(?:phtml))$/i', basename($stat['name']), $regs2)) {
$errors[] = strtoupper($regs2[1]) . ' is not a valid file type in a theme zip.';
$insecureZip = true;
break;
    }

4. Solution

This issue has not been fixed

5. Report Timeline

09/07/2015 Informed Vendor about Issue (no reply)
09/22/2015 Reminded Vendor of disclosure date (no reply)
10/07/2015 Disclosed to public


Blog Reference:
http://blog.curesec.com/article/blog/TheHostingTool-126-Code-Execution-75.html

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ