what you don't know can hurt you

WordPress Simple Ads Manager 2.9.8.125 PHP Object Injection

WordPress Simple Ads Manager 2.9.8.125 PHP Object Injection
Posted Mar 3, 2017
Authored by Yorick Koster, Securify B.V.

WordPress Simple Ads Manager plugin version 2.9.8.125 suffers from a PHP object injection vulnerability.

tags | exploit, php
SHA-256 | ec6251fd0911f4668303757918ecfa10fdca19a8702e8709cfa291d4df22cd8b

WordPress Simple Ads Manager 2.9.8.125 PHP Object Injection

Change Mirror Download
------------------------------------------------------------------------
Simple Ads Manager WordPress plugin unauthenticated PHP Object injection
vulnerability
------------------------------------------------------------------------
Yorick Koster, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A PHP Object injection vulnerability was found in the Simple Ads Manager
WordPress plugin. The unauthenticated PHP Object injection vulnerability
can be used by an unautenthicated user to instantiate arbitrary PHP
Objects. This issue can potentially result in arbitrary code execution,
but this has not been confirmed.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160712-0041

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was succesfully tested on the Simple Ads Manager WordPress
plugin version 2.9.8.125.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
There is currently no fix available.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://sumofpwn.nl/advisory/2016/simple_ads_manager_wordpress_plugin_unauthenticated_php_object_injection_vulnerability.html

This issue is possible due to two unsafe calls to unserialize() in the sam-ajax-loader.php file. The input is taken directly from the POST request as can be seen in the following code fragment:

sam-ajax-loader.php:

if ( in_array( $action, $allowed_actions ) ) {
switch ( $action ) {
case 'sam_ajax_load_place':
echo json_encode( array( 'success' => false, 'error' => 'Deprecated...' ) );
break;

case 'sam_ajax_load_ads':
if ( ( isset( $_POST['ads'] ) && is_array( $_POST['ads'] ) ) && isset( $_POST['wc'] ) ) {
$clauses = unserialize( base64_decode( $_POST['wc'] ) );

This issue can potentially result in arbitrary code execution, but this has not been confirmed.


------------------------------------------------------------------------
Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its
goal is to contribute to the security of popular, widely used OSS
projects in a fun and educational way.


Login or Register to add favorites

File Archive:

May 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    0 Files
  • 2
    May 2nd
    15 Files
  • 3
    May 3rd
    19 Files
  • 4
    May 4th
    24 Files
  • 5
    May 5th
    15 Files
  • 6
    May 6th
    14 Files
  • 7
    May 7th
    0 Files
  • 8
    May 8th
    0 Files
  • 9
    May 9th
    13 Files
  • 10
    May 10th
    7 Files
  • 11
    May 11th
    99 Files
  • 12
    May 12th
    45 Files
  • 13
    May 13th
    7 Files
  • 14
    May 14th
    0 Files
  • 15
    May 15th
    0 Files
  • 16
    May 16th
    16 Files
  • 17
    May 17th
    26 Files
  • 18
    May 18th
    4 Files
  • 19
    May 19th
    17 Files
  • 20
    May 20th
    0 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close