exploit the possibilities

WordPress CMS Commander Client 2.21 PHP Object Injection

WordPress CMS Commander Client 2.21 PHP Object Injection
Posted Jan 25, 2017
Authored by Yorick Koster, Securify B.V.

WordPress CMS Command Client plugin version 2.21 suffer from a PHP object injection vulnerability.

tags | advisory, php
MD5 | 9a7027555b61d92952f9550a552cf56f

WordPress CMS Commander Client 2.21 PHP Object Injection

Change Mirror Download
------------------------------------------------------------------------
CMS Commander Client WordPress Plugin unauthenticated PHP Object
injection vulnerability
------------------------------------------------------------------------
Yorick Koster, June 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A PHP Object injection vulnerability was found in the CMS Commander
Client WordPress Plugin, which can be used by an unauthenticated user to
instantiate arbitrary PHP Objects. Using this vulnerability it is
possible to execute arbitrary PHP code.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160803-0003

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on the CMS Commander Client WordPress
Plugin version 2.21.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
Input validation was added to version 2.22 of CMS Commander Client to
mitigate this issue.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://sumofpwn.nl/advisory/2016/cms_commander_client_wordpress_plugin_unauthenticated_php_object_injection_vulnerability.html

This issue is possible due to an unsafe call to unserialize() in the cmsc_authenticate() method. The input is taken directly from the POST body as can be seen in the following code fragment:

functions.php:

if( !function_exists('cmsc_authenticate')) {
function cmsc_authenticate() {

global $_cmsc_data, $_cmsc_auth, $cmsc_core;

if (!isset($HTTP_RAW_POST_DATA)) {
$HTTP_RAW_POST_DATA = file_get_contents('php://input');
}
/*if(substr($HTTP_RAW_POST_DATA, 0, 7) == "action="){
$HTTP_RAW_POST_DATA = str_replace("action=", "", $HTTP_RAW_POST_DATA);
}*/

$_cmsc_data = base64_decode($HTTP_RAW_POST_DATA);
if (!$_cmsc_data){
return;
}
$_cmsc_data = cmsc_parse_data( @unserialize($_cmsc_data) );

It has been confirmed that this issues can be used to execute arbitrary PHP code.

------------------------------------------------------------------------
Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its
goal is to contribute to the security of popular, widely used OSS
projects in a fun and educational way.


Login or Register to add favorites

File Archive:

October 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    16 Files
  • 2
    Oct 2nd
    1 Files
  • 3
    Oct 3rd
    1 Files
  • 4
    Oct 4th
    24 Files
  • 5
    Oct 5th
    24 Files
  • 6
    Oct 6th
    11 Files
  • 7
    Oct 7th
    14 Files
  • 8
    Oct 8th
    19 Files
  • 9
    Oct 9th
    1 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    7 Files
  • 12
    Oct 12th
    15 Files
  • 13
    Oct 13th
    26 Files
  • 14
    Oct 14th
    10 Files
  • 15
    Oct 15th
    6 Files
  • 16
    Oct 16th
    2 Files
  • 17
    Oct 17th
    1 Files
  • 18
    Oct 18th
    14 Files
  • 19
    Oct 19th
    15 Files
  • 20
    Oct 20th
    20 Files
  • 21
    Oct 21st
    12 Files
  • 22
    Oct 22nd
    14 Files
  • 23
    Oct 23rd
    3 Files
  • 24
    Oct 24th
    1 Files
  • 25
    Oct 25th
    33 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close