TheHostingTool 1.2.6 Code Execution

Type packetstorm
Reporter Tim Coen
Modified 2015-11-09T00:00:00


                                            `Security Advisory - Curesec Research Team  
1. Introduction  
Affected Product: TheHostingTool 1.2.6  
Fixed in: not fixed  
Fixed Version Link: n/a  
Vendor Website:  
Vulnerability Type: Code Execution  
Remote Exploitable: Yes  
Reported to vendor: 09/07/2015  
Disclosed to public: 10/07/2015  
Release mode: Full Disclosure  
CVE: n/a  
Credits Tim Coen of Curesec GmbH  
2. Description  
Themes can be uploaded via a zip file by an admin. The uploader checks the  
validity of each file with a blacklist.  
The blacklist misses at least two file types that will lead to code execution:  
Any file with the extension .pht - which will be executed by most default  
Apache configuration - and the .htaccess file - which, if parsed by the server,  
will allow code execution with files with arbitrary extension. It is  
recommended to use a whitelist instead of a blacklist.  
Please note that admin credentials are required to exploit this issue.  
3. Code  
if(preg_match('/^.+\.((?:php[3-5]?)|(?:cgi)|(?:pl)|(?:phtml))$/i', basename($stat['name']), $regs2)) {  
$errors[] = strtoupper($regs2[1]) . ' is not a valid file type in a theme zip.';  
$insecureZip = true;  
4. Solution  
This issue has not been fixed  
5. Report Timeline  
09/07/2015 Informed Vendor about Issue (no reply)  
09/22/2015 Reminded Vendor of disclosure date (no reply)  
10/07/2015 Disclosed to public  
Blog Reference: