TheHostingTool 1.2.6: Code Execution

TheHostingTool 1.2.6: Code Execution

Date: 2015-10-07 16:07:40
Security Advisory – Curesec Research Team

1. Introduction

Affected Product: TheHostingTool 1.2.6
Fixed in: not fixed
Fixed Version Link: n/a
Vendor Website:
Vulnerability Type: Code Execution
Remote Exploitable: Yes
Reported to vendor: 09/07/2015
Disclosed to public: 10/07/2015
Release mode: Full Disclosure
CVE: n/a
Credits Tim Coen of curesec GmbH

2. Description

Themes can be uploaded via a zip file by an admin. The uploader checks the validity of each file with a blacklist.

The blacklist misses at least two file types that will lead to code execution: Any file with the extension .pht - which will be executed by most default Apache configuration - and the .htaccess file - which, if parsed by the server, will allow code execution with files with arbitrary extension. It is recommended to use a whitelist instead of a blacklist.

Please note that admin credentials are required to exploit this issue.

3. Code

lof.php if(preg_match('/^.+\.((?:php[3-5]?)|(?:cgi)|(?:pl)|(?:phtml))$/i', basename($stat['name']), $regs2)) { $errors[] = strtoupper($regs2[1]) . ' is not a valid file type in a theme zip.'; $insecureZip = true; break; }

4. Solution

This issue has not been fixed

5. Report Timeline

09/07/2015 Informed Vendor about Issue (no reply)
09/22/2015 Reminded Vendor of disclosure date (no reply)
10/07/2015 Disclosed to public