TheHostingTool 1.2.6 Code Execution

`Security Advisory - Curesec Research Team  
  
1. Introduction  
  
Affected Product: TheHostingTool 1.2.6  
Fixed in: not fixed  
Fixed Version Link: n/a  
Vendor Website: https://thehostingtool.com/  
Vulnerability Type: Code Execution  
Remote Exploitable: Yes  
Reported to vendor: 09/07/2015  
Disclosed to public: 10/07/2015  
Release mode: Full Disclosure  
CVE: n/a  
Credits Tim Coen of Curesec GmbH  
  
2. Description  
  
Themes can be uploaded via a zip file by an admin. The uploader checks the  
validity of each file with a blacklist.  
  
The blacklist misses at least two file types that will lead to code execution:  
Any file with the extension .pht - which will be executed by most default  
Apache configuration - and the .htaccess file - which, if parsed by the server,  
will allow code execution with files with arbitrary extension. It is  
recommended to use a whitelist instead of a blacklist.  
  
Please note that admin credentials are required to exploit this issue.  
  
3. Code  
  
  
lof.php  
if(preg_match('/^.+\.((?:php[3-5]?)|(?:cgi)|(?:pl)|(?:phtml))$/i', basename($stat['name']), $regs2)) {  
$errors[] = strtoupper($regs2[1]) . ' is not a valid file type in a theme zip.';  
$insecureZip = true;  
break;  
}  
  
4. Solution  
  
This issue has not been fixed  
  
5. Report Timeline  
  
09/07/2015 Informed Vendor about Issue (no reply)  
09/22/2015 Reminded Vendor of disclosure date (no reply)  
10/07/2015 Disclosed to public  
  
  
Blog Reference:  
http://blog.curesec.com/article/blog/TheHostingTool-126-Code-Execution-75.html  
  
  
`