Date: Thu, 27 Feb 2014 14:14:59 +0100 From: Damien Cauquil <d.cauquil@...dream.com> To: cve-assign@...re.org CC: oss-security@...ts.openwall.com Subject: Re: CVE request: PLOGGER 1.0RC1 multiple vulnerabilities > Can you explain the race condition? For example: without the true > image file, would the product extract the .php file but then delete it > very soon afterward? The zip file must at least contains a non-empty image file with a name including a valid extension, and of course the exploit php file. Once the zip uploaded, the web application tells the user it has found one or many images, and asks for a validation. If this validation step is not performed, all the unzipped files remain and the php file can be called directly with a web browser. Le 27/02/2014 14:07, cve-assign@...re.org a écrit : >> We found two vulnerabilities in PLOGGER version 1.0RC1, including: > > >> 1. Authenticated Arbitrary file upload vulnerability affecting PLOGGER >> version 1.0RC1 > >> This vulnerability allows an authenticated user to upload an arbitrary >> PHP file on the remote web server in an accessible path, by sending a >> specifically crafted zip file. > >> session.post('http://' + HOST + "/plog-admin/plog-upload.php", > >> ## Add true image file to block the race condition (mandatory not >> null) > > Use CVE-2014-2223. > > Can you explain the race condition? For example: without the true > image file, would the product extract the .php file but then delete it > very soon afterward? > > > >> 2. CAPTCHA bypass vulnerability > >> A theme called "Lucid" provided in PLOGGER version 1.0RC1 implements a >> weak CAPTCHA prone to a replay attack. By abusing this vulnerability, >> an unauthenticated user may be able to post a huge number of comments. > >> The script generating the CAPTCHA image inserts a code in the current >> user session, but this value is not unset while processing the form, >> thus allowing an attacker to submit multiple times the form with >> always the same captcha and associated code. > >> The vulnerable code is located in plog-comment.php, line 106. > > Use CVE-2014-2224. > > -- Damien Cauquil Directeur Recherche & Développement CHFI | CEH | ECSA | CEI Sysdream 108 avenue Gabriel Péri 93400 Saint Ouen Tel: +33 (0) 1 78 76 58 21 www.sysdream.com [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ