exploit the possibilities

WordPress YITH WooCommerce Compare 2.0.9 PHP Object Injection

WordPress YITH WooCommerce Compare 2.0.9 PHP Object Injection
Posted Nov 8, 2016
Authored by Yorick Koster, Securify B.V.

WordPress YITH WooCommerce Compare plugin version 2.0.9 suffers from a PHP object injection vulnerability.

tags | exploit, php
SHA-256 | 0db04c264f42b23b55cb4613767ded49fab18d10ff1bb03155469fb2bb5d9b85

WordPress YITH WooCommerce Compare 2.0.9 PHP Object Injection

Change Mirror Download
------------------------------------------------------------------------
YITH WooCommerce Compare WordPress Plugin unauthenticated PHP Object
injection vulnerability
------------------------------------------------------------------------
Yorick Koster, June 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A PHP Object injection vulnerability was found in the YITH WooCommerce
Compare WordPress Plugin, which can be used by an unauthenticated user
to instantiate arbitrary PHP Objects. Using this vulnerability it is
possible to execute arbitrary PHP code.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160803-0006

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on the YITH WooCommerce Compare
WordPress Plugin version 2.0.9.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue is resolved in YITH WooCommerce Compare version 2.1.0.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://sumofpwn.nl/advisory/2016/yith_woocommerce_compare_wordpress_plugin_unauthenticated_php_object_injection_vulnerability.html

This issue is possible due to an unsafe call to unserialize() in the __construct() method. The input is taken directly from the yith_woocompare_list cookie as can be seen in the following code fragment:

includes/class.yith-woocompare-frontend.php:

/**
* Constructor
*
* @return YITH_Woocompare_Frontend
* @since 1.0.0
*/
public function __construct() {

// set coookiename
if ( is_multisite() ) $this->cookie_name .= '_' . get_current_blog_id();

// populate the list of products
$this->products_list = isset( $_COOKIE[ $this->cookie_name ] ) ? json_decode( maybe_unserialize( $_COOKIE[ $this->cookie_name ] ) ) : array();

It has been confirmed that this issues can be used to execute arbitrary PHP code.
------------------------------------------------------------------------
Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its
goal is to contribute to the security of popular, widely used OSS
projects in a fun and educational way.

Login or Register to add favorites

File Archive:

May 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    0 Files
  • 2
    May 2nd
    15 Files
  • 3
    May 3rd
    19 Files
  • 4
    May 4th
    24 Files
  • 5
    May 5th
    15 Files
  • 6
    May 6th
    14 Files
  • 7
    May 7th
    0 Files
  • 8
    May 8th
    0 Files
  • 9
    May 9th
    13 Files
  • 10
    May 10th
    7 Files
  • 11
    May 11th
    99 Files
  • 12
    May 12th
    45 Files
  • 13
    May 13th
    7 Files
  • 14
    May 14th
    0 Files
  • 15
    May 15th
    0 Files
  • 16
    May 16th
    16 Files
  • 17
    May 17th
    0 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    0 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close