exploit the possibilities

WordPress CMS Commander Client 2.21 PHP Object Injection

WordPress CMS Commander Client 2.21 PHP Object Injection
Posted Jan 25, 2017
Authored by Yorick Koster, Securify B.V.

WordPress CMS Command Client plugin version 2.21 suffer from a PHP object injection vulnerability.

tags | advisory, php
MD5 | 9a7027555b61d92952f9550a552cf56f

WordPress CMS Commander Client 2.21 PHP Object Injection

Change Mirror Download
------------------------------------------------------------------------
CMS Commander Client WordPress Plugin unauthenticated PHP Object
injection vulnerability
------------------------------------------------------------------------
Yorick Koster, June 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A PHP Object injection vulnerability was found in the CMS Commander
Client WordPress Plugin, which can be used by an unauthenticated user to
instantiate arbitrary PHP Objects. Using this vulnerability it is
possible to execute arbitrary PHP code.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160803-0003

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on the CMS Commander Client WordPress
Plugin version 2.21.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
Input validation was added to version 2.22 of CMS Commander Client to
mitigate this issue.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://sumofpwn.nl/advisory/2016/cms_commander_client_wordpress_plugin_unauthenticated_php_object_injection_vulnerability.html

This issue is possible due to an unsafe call to unserialize() in the cmsc_authenticate() method. The input is taken directly from the POST body as can be seen in the following code fragment:

functions.php:

if( !function_exists('cmsc_authenticate')) {
function cmsc_authenticate() {

global $_cmsc_data, $_cmsc_auth, $cmsc_core;

if (!isset($HTTP_RAW_POST_DATA)) {
$HTTP_RAW_POST_DATA = file_get_contents('php://input');
}
/*if(substr($HTTP_RAW_POST_DATA, 0, 7) == "action="){
$HTTP_RAW_POST_DATA = str_replace("action=", "", $HTTP_RAW_POST_DATA);
}*/

$_cmsc_data = base64_decode($HTTP_RAW_POST_DATA);
if (!$_cmsc_data){
return;
}
$_cmsc_data = cmsc_parse_data( @unserialize($_cmsc_data) );

It has been confirmed that this issues can be used to execute arbitrary PHP code.

------------------------------------------------------------------------
Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its
goal is to contribute to the security of popular, widely used OSS
projects in a fun and educational way.


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

October 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    24 Files
  • 2
    Oct 2nd
    15 Files
  • 3
    Oct 3rd
    7 Files
  • 4
    Oct 4th
    4 Files
  • 5
    Oct 5th
    10 Files
  • 6
    Oct 6th
    1 Files
  • 7
    Oct 7th
    21 Files
  • 8
    Oct 8th
    19 Files
  • 9
    Oct 9th
    5 Files
  • 10
    Oct 10th
    20 Files
  • 11
    Oct 11th
    17 Files
  • 12
    Oct 12th
    4 Files
  • 13
    Oct 13th
    4 Files
  • 14
    Oct 14th
    15 Files
  • 15
    Oct 15th
    19 Files
  • 16
    Oct 16th
    25 Files
  • 17
    Oct 17th
    17 Files
  • 18
    Oct 18th
    7 Files
  • 19
    Oct 19th
    1 Files
  • 20
    Oct 20th
    3 Files
  • 21
    Oct 21st
    12 Files
  • 22
    Oct 22nd
    11 Files
  • 23
    Oct 23rd
    18 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close