Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
WP-Media: WP-Rocket
Details:
Using PHP Version: 5.6.1
Apache/ini Settings: unnecessary
Wp-Rocket Version: 2.9.3
1st. Vulnerability is a bypass for the issue patched. the patch is incomplete and can be bypassed.
The patch looks like: /inc/front/process.php
42: $host = str_replace( array( '..', chr(0) ), '', $host );
But poking around, I have found a bypass for that specific fix so the first vulnerability that was patched in 2015 is still producible.
The payload I used is: .%00.../.%00.../path/file/to/include
Because of the $00, the filter wouldn't find it but also since null is
an empty character it will create ../../ for us by sending .%00.../.%00.../
To test this, use the following PHP code:
$host = $_SERVER['HTTP_HOST'];
$host = str_replace( array( '..', chr(0) ), '', $host );
include $host;
and send .%00.../.%00.../path/file/to/include
and that file will be included, so the first patch is completely
incomplete and over 200k sites are using a vulnerable version ever
since.
2nd. Local File Inclusion in wp-rocket/min/config.php:
10: $host = $_SERVER['HTTP_HOST']; << SINK
11: $host = str_replace( array( '..', chr(0) ), '', $host );
12: $wp_rocket_config_file = dirname( dirname( dirname( dirname(
__FILE__ ) ) ) ) . '/wp-rocket-config/' . $host . '.php';
if ( file_exists( $wp_rocket_config_file ) && ! defined( 'ABSPATH' ) ) {
// Create fake ABSPATH
define( 'ABSPATH', null );
18: require( $wp_rocket_config_file ); << ISSUE
}
As you can see, the same issue that is found in process.php is
happening here, it is including $host (user controlled value) with
11th line being a patch which also is bypassable with my demo:
.%00.../.%00.../
The rest of the bugs are sent to Gregory about Imagify and he
validated and will issue a patch.
Fix should be easy:
$safe_files=array("test","config","includes","special");
if(in_array($file,$safe_files)){
require_once $file."/config.php";
}
@ghost

This comment has been minimized.

Copy link

ghost commented Jul 17, 2018

Hi, can you do an example with a complete url?

@w9w

This comment has been minimized.

Copy link

w9w commented Oct 15, 2018

Full PoC please

@JohnTroony

This comment has been minimized.

Copy link

JohnTroony commented Nov 27, 2018

Hey, I don't understand your PoC. Do you mind explaining a bit more?

@keyurvala

This comment has been minimized.

Copy link

keyurvala commented Mar 12, 2020

Can you please Explain in Detail?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.