oss-sec mailing list archives
Re: CVE request: PLOGGER 1.0RC1 multiple vulnerabilities
From: Damien Cauquil <d.cauquil () sysdream com>
Date: Thu, 27 Feb 2014 14:14:59 +0100
Can you explain the race condition? For example: without the true image file, would the product extract the .php file but then delete it very soon afterward?
The zip file must at least contains a non-empty image file with a name including a valid extension, and of course the exploit php file. Once the zip uploaded, the web application tells the user it has found one or many images, and asks for a validation. If this validation step is not performed, all the unzipped files remain and the php file can be called directly with a web browser. Le 27/02/2014 14:07, cve-assign () mitre org a écrit :
We found two vulnerabilities in PLOGGER version 1.0RC1, including:1. Authenticated Arbitrary file upload vulnerability affecting PLOGGER version 1.0RC1This vulnerability allows an authenticated user to upload an arbitrary PHP file on the remote web server in an accessible path, by sending a specifically crafted zip file.session.post('http://' + HOST + "/plog-admin/plog-upload.php",## Add true image file to block the race condition (mandatory not null)Use CVE-2014-2223. Can you explain the race condition? For example: without the true image file, would the product extract the .php file but then delete it very soon afterward?2. CAPTCHA bypass vulnerabilityA theme called "Lucid" provided in PLOGGER version 1.0RC1 implements a weak CAPTCHA prone to a replay attack. By abusing this vulnerability, an unauthenticated user may be able to post a huge number of comments.The script generating the CAPTCHA image inserts a code in the current user session, but this value is not unset while processing the form, thus allowing an attacker to submit multiple times the form with always the same captcha and associated code.The vulnerable code is located in plog-comment.php, line 106.Use CVE-2014-2224.
-- Damien Cauquil Directeur Recherche & Développement CHFI | CEH | ECSA | CEI Sysdream 108 avenue Gabriel Péri 93400 Saint Ouen Tel: +33 (0) 1 78 76 58 21 www.sysdream.com
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- CVE request: PLOGGER 1.0RC1 multiple vulnerabilities Damien Cauquil (Feb 26)
- Re: CVE request: PLOGGER 1.0RC1 multiple vulnerabilities cve-assign (Feb 27)
- Re: CVE request: PLOGGER 1.0RC1 multiple vulnerabilities Damien Cauquil (Feb 27)
- Re: CVE request: PLOGGER 1.0RC1 multiple vulnerabilities cve-assign (Feb 27)
- Re: CVE request: PLOGGER 1.0RC1 multiple vulnerabilities Damien Cauquil (Feb 27)
- Re: CVE request: PLOGGER 1.0RC1 multiple vulnerabilities Damien Cauquil (Feb 27)
- Re: CVE request: PLOGGER 1.0RC1 multiple vulnerabilities cve-assign (Feb 27)