Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 27 Feb 2014 14:14:59 +0100
From: Damien Cauquil <d.cauquil@...dream.com>
To: cve-assign@...re.org
CC: oss-security@...ts.openwall.com
Subject: Re: CVE request: PLOGGER 1.0RC1 multiple vulnerabilities

> Can you explain the race condition? For example: without the true
> image file, would the product extract the .php file but then delete it
> very soon afterward?

The zip file must at least contains a non-empty image file with a name
including a valid extension, and of course the exploit php file. Once
the zip uploaded, the web application tells the user it has found one or
many images, and asks for a validation. If this validation step is not
performed, all the unzipped files remain and the php file can be called
directly with a web browser.


Le 27/02/2014 14:07, cve-assign@...re.org a écrit :
>> We found two vulnerabilities in PLOGGER version 1.0RC1, including:
> 
> 
>> 1. Authenticated Arbitrary file upload vulnerability affecting PLOGGER
>> version 1.0RC1
> 
>> This vulnerability allows an authenticated user to upload an arbitrary
>> PHP file on the remote web server in an accessible path, by sending a
>> specifically crafted zip file.
> 
>> session.post('http://' + HOST + "/plog-admin/plog-upload.php",
> 
>> ## Add true image file to block the race condition (mandatory not
>> null)
> 
> Use CVE-2014-2223.
> 
> Can you explain the race condition? For example: without the true
> image file, would the product extract the .php file but then delete it
> very soon afterward?
> 
> 
> 
>> 2. CAPTCHA bypass vulnerability
> 
>> A theme called "Lucid" provided in PLOGGER version 1.0RC1 implements a
>> weak CAPTCHA prone to a replay attack. By abusing this vulnerability,
>> an unauthenticated user may be able to post a huge number of comments.
> 
>> The script generating the CAPTCHA image inserts a code in the current
>> user session, but this value is not unset while processing the form,
>> thus allowing an attacker to submit multiple times the form with
>> always the same captcha and associated code.
> 
>> The vulnerable code is located in plog-comment.php, line 106.
> 
> Use CVE-2014-2224.
> 
> 

-- 
Damien Cauquil
Directeur Recherche & Développement
CHFI | CEH | ECSA | CEI

Sysdream
108 avenue Gabriel Péri
93400 Saint Ouen
Tel: +33 (0) 1 78 76 58 21
www.sysdream.com


Download attachment "signature.asc" of type "application/pgp-signature" (279 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ