Description

Manual confirmation is required for this alert.

This script is using the PHP function curl_exec(). The url used by curl is based on user input. This is not recommended as it can lead to various vulnerabilities.

For example, an attacker can use the file:// protocol to read arbitrary files from the server (by using an url like file:///etc/passwd). It's also possible to access computers behind the firewall using URLs like http://192.168.0.1 or ftp://192.168.0.1.

An older version of libcurl compiled to support SCP can get tricked to get a file using embedded semicolons, which can lead to execution of commands on the given server. "scp://name:passwd@host/a'``;date >/tmp/test``;'".

Remediation

The user should not be able to control the url used by curl_exec(). You need to review the source code of this script and make the necessary adjustments. If possible, you should create a whitelist of accepted URLs and/or deny the usage of file:// protocol.

References

curl_exec

libcurl Arbitrary File Access

Related Vulnerabilities

WordPress Plugin Product Input Fields for WooCommerce Arbitrary File Download (1.2.6)

WordPress Plugin Google 'Plus one' Button by kms Multiple Vulnerabilities (1.5.0)

WordPress Plugin LearnPress-WordPress LMS Cross-Site Request Forgery (3.2.7.2)

WordPress Plugin WP HTML Sitemap Cross-Site Request Forgery (1.2)

ViewStateMac is Not Enabled

Severity

Medium

Classification

CVE-2009-0037 CWE-352 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Tags

Information Disclosure Abuse Of Functionality Code Execution File Inclusion