Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

WordPress CMS Commander Client Plugin unauthenticated PHP Object injection vulnerability

🗓️ 26 Jan 2017 00:00:00Reported by Yorick KosterType 
zdt
 zdt🔗 0day.today👁 27 Views

WordPress CMS Commander Client Plugin unauthenticated PHP Object injection vulnerability foun

Code
Abstract
A PHP Object injection vulnerability was found in the CMS Commander Client WordPress Plugin, which can be used by an unauthenticated user to instantiate arbitrary PHP Objects. Using this vulnerability it is possible to execute arbitrary PHP code.

Contact
For feedback or questions about this advisory mail us at sumofpwn at securify.nl

The Summer of Pwnage
This issue has been found during the Summer of Pwnage hacker event, running from July 1-29. A community summer event in which a large group of security bughunters (worldwide) collaborate in a month of security research on Open Source Software (WordPress this time). For fun. The event is hosted by Securify in Amsterdam.

OVE ID
OVE-20160803-0003

Tested versions
This issue was successfully tested on the CMS Commander Client WordPress Plugin version 2.21.

Fix
Input validation was added to version 2.22 of CMS Commander Client to mitigate this issue.

Introduction
The CMS Commander Client WordPress Plugin can manage multiple WordPress sites from a single dashboard. A PHP Object injection vulnerability was found in the CMS Commander Client WordPress Plugin, which can be used by an unauthenticated user to instantiate arbitrary PHP Objects.

Details
This issue is possible due to an unsafe call to unserialize() in the cmsc_authenticate() method. The input is taken directly from the POST body as can be seen in the following code fragment:

functions.php:
if( !function_exists('cmsc_authenticate')) {
function cmsc_authenticate() {

global $_cmsc_data, $_cmsc_auth, $cmsc_core;

if (!isset($HTTP_RAW_POST_DATA)) {
$HTTP_RAW_POST_DATA = file_get_contents('php://input');
}
/*if(substr($HTTP_RAW_POST_DATA, 0, 7) == "action="){
$HTTP_RAW_POST_DATA = str_replace("action=", "", $HTTP_RAW_POST_DATA);
}*/

$_cmsc_data = base64_decode($HTTP_RAW_POST_DATA);
if (!$_cmsc_data){
return;
}
$_cmsc_data = cmsc_parse_data( @unserialize($_cmsc_data) );

It has been confirmed that this issues can be used to execute arbitrary PHP code.

#  0day.today [2018-03-31]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
26 Jan 2017 00:00Current
0.5Low risk
Vulners AI Score0.5
wordpresscms commander clientphp object injectionunauthenticated usersecurity vulnerability
27