TheHostingTool version 1.2.6 suffers from a code execution vulnerability.
6021bfb27e789e55e0282f5f98a9e078f25dceb84d1c522ed3a9a23fb0379ffd
Security Advisory - Curesec Research Team
1. Introduction
Affected Product: TheHostingTool 1.2.6
Fixed in: not fixed
Fixed Version Link: n/a
Vendor Website: https://thehostingtool.com/
Vulnerability Type: Code Execution
Remote Exploitable: Yes
Reported to vendor: 09/07/2015
Disclosed to public: 10/07/2015
Release mode: Full Disclosure
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. Description
Themes can be uploaded via a zip file by an admin. The uploader checks the
validity of each file with a blacklist.
The blacklist misses at least two file types that will lead to code execution:
Any file with the extension .pht - which will be executed by most default
Apache configuration - and the .htaccess file - which, if parsed by the server,
will allow code execution with files with arbitrary extension. It is
recommended to use a whitelist instead of a blacklist.
Please note that admin credentials are required to exploit this issue.
3. Code
lof.php
if(preg_match('/^.+\.((?:php[3-5]?)|(?:cgi)|(?:pl)|(?:phtml))$/i', basename($stat['name']), $regs2)) {
$errors[] = strtoupper($regs2[1]) . ' is not a valid file type in a theme zip.';
$insecureZip = true;
break;
}
4. Solution
This issue has not been fixed
5. Report Timeline
09/07/2015 Informed Vendor about Issue (no reply)
09/22/2015 Reminded Vendor of disclosure date (no reply)
10/07/2015 Disclosed to public
Blog Reference:
http://blog.curesec.com/article/blog/TheHostingTool-126-Code-Execution-75.html