Created
July 25, 2017 14:37
-
-
Save Shinkurt/157dbb3767c9489f3d754f79b183a890 to your computer and use it in GitHub Desktop.
WP-Media: WP-Rocket
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Details: | |
Using PHP Version: 5.6.1 | |
Apache/ini Settings: unnecessary | |
Wp-Rocket Version: 2.9.3 | |
1st. Vulnerability is a bypass for the issue patched. the patch is incomplete and can be bypassed. | |
The patch looks like: /inc/front/process.php | |
42: $host = str_replace( array( '..', chr(0) ), '', $host ); | |
But poking around, I have found a bypass for that specific fix so the first vulnerability that was patched in 2015 is still producible. | |
The payload I used is: .%00.../.%00.../path/file/to/include | |
Because of the $00, the filter wouldn't find it but also since null is | |
an empty character it will create ../../ for us by sending .%00.../.%00.../ | |
To test this, use the following PHP code: | |
$host = $_SERVER['HTTP_HOST']; | |
$host = str_replace( array( '..', chr(0) ), '', $host ); | |
include $host; | |
and send .%00.../.%00.../path/file/to/include | |
and that file will be included, so the first patch is completely | |
incomplete and over 200k sites are using a vulnerable version ever | |
since. | |
2nd. Local File Inclusion in wp-rocket/min/config.php: | |
10: $host = $_SERVER['HTTP_HOST']; << SINK | |
11: $host = str_replace( array( '..', chr(0) ), '', $host ); | |
12: $wp_rocket_config_file = dirname( dirname( dirname( dirname( | |
__FILE__ ) ) ) ) . '/wp-rocket-config/' . $host . '.php'; | |
if ( file_exists( $wp_rocket_config_file ) && ! defined( 'ABSPATH' ) ) { | |
// Create fake ABSPATH | |
define( 'ABSPATH', null ); | |
18: require( $wp_rocket_config_file ); << ISSUE | |
} | |
As you can see, the same issue that is found in process.php is | |
happening here, it is including $host (user controlled value) with | |
11th line being a patch which also is bypassable with my demo: | |
.%00.../.%00.../ | |
The rest of the bugs are sent to Gregory about Imagify and he | |
validated and will issue a patch. | |
Fix should be easy: | |
$safe_files=array("test","config","includes","special"); | |
if(in_array($file,$safe_files)){ | |
require_once $file."/config.php"; | |
} |
Full PoC please
Full POC please
Hey, I don't understand your PoC. Do you mind explaining a bit more?
Full PoC
including Example url please
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Can you please Explain in Detail?