Security Advisory - Curesec Research Team

1. Introduction

Affected Product:    TheHostingTool 1.2.6
Fixed in:            not fixed
Fixed Version Link:  n/a
Vendor Website:      https://thehostingtool.com/
Vulnerability Type:  Code Execution
Remote Exploitable:  Yes
Reported to vendor:  09/07/2015
Disclosed to public: 10/07/2015
Release mode:        Full Disclosure
CVE:                 n/a
Credits              Tim Coen of Curesec GmbH

2. Description

Themes can be uploaded via a zip file by an admin. The uploader checks the
validity of each file with a blacklist.

The blacklist misses at least two file types that will lead to code execution:
Any file with the extension .pht - which will be executed by most default
Apache configuration - and the .htaccess file - which, if parsed by the server,
will allow code execution with files with arbitrary extension. It is
recommended to use a whitelist instead of a blacklist.

Please note that admin credentials are required to exploit this issue.

3. Code


    lof.php
    if(preg_match('/^.+\.((?:php[3-5]?)|(?:cgi)|(?:pl)|(?:phtml))$/i', basename($stat['name']), $regs2)) {
$errors[] = strtoupper($regs2[1]) . ' is not a valid file type in a theme zip.';
$insecureZip = true;
break;
    }

4. Solution

This issue has not been fixed

5. Report Timeline

09/07/2015 Informed Vendor about Issue (no reply)
09/22/2015 Reminded Vendor of disclosure date (no reply)
10/07/2015 Disclosed to public


Blog Reference:
http://blog.curesec.com/article/blog/TheHostingTool-126-Code-Execution-75.html