Code Execution Vulnerability

  • Resolved aloushi

    (@aloushi)


    10 years, 10 months ago

    Hello, working on your plugins i found this plugin to be vulnerable to Code Execution:
    (Userinput is used as dynamic function name. Arbitrary functions may be called.)

    An attacker might execute arbitrary PHP code with this vulnerability. User tainted data is embedded into a function that compiles PHP code on the run and executes it thus allowing an attacker to inject own PHP code that will be executed. This vulnerability can lead to full server compromise.

    Code:

    $page = str_replace(SB_WE_PLUGIN_DIRNAME, ”, trim($_REQUEST[‘page’]));
    echo $sb_we_admin_start;
    echo $page();

    OWASP
    Best Regards
    https://ww.wp.xz.cn/plugins/welcome-email-editor/

Viewing 4 replies - 1 through 4 (of 4 total)
  • Sean Barton

    (@seanbarton)

    10 years, 10 months ago

    Yup I see.. thanks for this. I’ll get it looked at today and push a new version.

    cheers
    S

    Sean Barton

    (@seanbarton)

    10 years, 10 months ago

    Just had a look into this. You are correct in that it would cause an issue if it were accessible. However, because that page is strictly admin only (manage_options capability) then actually the only person that could use that URL parameter would be an administrator anyway. I’ve removed the code but it wasn’t a gaping security hole luckily 🙂

    ta
    S

    Thread Starter aloushi

    (@aloushi)

    10 years, 10 months ago

    Yes, but still i thought it needed to be reported 🙂

    Sean Barton

    (@seanbarton)

    10 years, 10 months ago

    Yes.. thanks 🙂

Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘Code Execution Vulnerability’ is closed to new replies.