Description

Manual confirmation is required for this alert.

This script is using the PHP function curl_exec(). The url used by curl is based on user input. This is not recommended as it can lead to various vulnerabilities.

For example, an attacker can use the file:// protocol to read arbitrary files from the server (by using an url like file:///etc/passwd). It's also possible to access computers behind the firewall using URLs like http://192.168.0.1 or ftp://192.168.0.1.

An older version of libcurl compiled to support SCP can get tricked to get a file using embedded semicolons, which can lead to execution of commands on the given server. "scp://name:passwd@host/a'``;date >/tmp/test``;'".

Remediation

The user should not be able to control the url used by curl_exec(). You need to review the source code of this script and make the necessary adjustments. If possible, you should create a whitelist of accepted URLs and/or deny the usage of file:// protocol.

References

curl_exec

libcurl Arbitrary File Access

Related Vulnerabilities

WordPress full path disclosure

WordPress Plugin Really Simple Gallery Multiple Vulnerabilities (1.4)

WordPress Plugin WordPoints Multiple Vulnerabilities (1.7.0)

WordPress Plugin Uncanny Toolkit for LearnDash Cross-Site Request Forgery (3.6.4.1)

WordPress Plugin Prevent files/folders access Cross-Site Request Forgery (1.1.1)

Severity

Medium

Classification

CVE-2009-0037 CWE-352 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Tags

Information Disclosure Abuse Of Functionality Code Execution File Inclusion