Description

Manual confirmation is required for this alert.

This script is using the PHP function curl_exec(). The url used by curl is based on user input. This is not recommended as it can lead to various vulnerabilities.

For example, an attacker can use the file:// protocol to read arbitrary files from the server (by using an url like file:///etc/passwd). It's also possible to access computers behind the firewall using URLs like http://192.168.0.1 or ftp://192.168.0.1.

An older version of libcurl compiled to support SCP can get tricked to get a file using embedded semicolons, which can lead to execution of commands on the given server. "scp://name:passwd@host/a'``;date >/tmp/test``;'".

Remediation

The user should not be able to control the url used by curl_exec(). You need to review the source code of this script and make the necessary adjustments. If possible, you should create a whitelist of accepted URLs and/or deny the usage of file:// protocol.

References

curl_exec

libcurl Arbitrary File Access

Related Vulnerabilities

WordPress Plugin Shopping Cart & eCommerce Store Cross-Site Request Forgery (5.1.0)

WordPress Plugin WP125 Cross-Site Request Forgery (1.4.9)

WordPress Plugin Snazzy Maps Cross-Site Request Forgery (1.1.5)

Consul API publicly exposed

WordPress Ultimate Member Plugin Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2019-10673)

Severity

Medium

Classification

CVE-2009-0037 CWE-352 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Tags

Information Disclosure Abuse Of Functionality Code Execution File Inclusion