Project: Wordpress Plugin Jetpack by WordPress.com 6.6.1

Vulnerability: #9217807 (2018-10-30 09:10:13)

Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink Standard::is_readable
Risk _GET
/jetpack/modules/custom-css/custom-css/preprocessors/scss.inc.php:4225 (show/hide source)
4205  	/**
4206  	 * Join path components
4207  	 *
4208  	 * @param string $left  Path component, left of the directory separator
4209  	 * @param string $right Path component, right of the directory separator
4210  	 *
4211  	 * @return string
4212  	 */
4213  	protected function join($left, $right) {
4214  		return rtrim($left, '/\\') . DIRECTORY_SEPARATOR . ltrim($right, '/\\');
4215  	}
4216  
4217  	/**
4218  	 * Get name of requested .scss file
4219  	 *
4220  	 * @return string|null
4221  	 */
4222  	protected function inputName() {
4223  		switch (true) {
4224  			case isset($_GET['p']):
4225 return $_GET['p'];
4226 case isset($_SERVER['PATH_INFO']): 4227 return $_SERVER['PATH_INFO'];
Threat level 1

Callstack:

scss_server::findInput /jetpack/modules/custom-css/custom-css/preprocessors/scss.inc.php:4245 (show/hide source)
4225  				return $_GET['p'];
4226  			case isset($_SERVER['PATH_INFO']):
4227  				return $_SERVER['PATH_INFO'];
4228  			case isset($_SERVER['DOCUMENT_URI']):
4229  				return substr($_SERVER['DOCUMENT_URI'], strlen($_SERVER['SCRIPT_NAME']));
4230  		}
4231  	}
4232  
4233  	/**
4234  	 * Get path to requested .scss file
4235  	 *
4236  	 * @return string
4237  	 */
4238  	protected function findInput() {
4239  		if (($input = $this->inputName())
4240  			&& strpos($input, '..') === false
4241  			&& substr($input, -5) === '.scss'
4242  		) {
4243  			$name = $this->join($this->dir, $input);
4244  
4245 if (is_file($name) && is_readable($name)) {
4246 return $name; 4247 }
scss_server::serve /jetpack/modules/custom-css/custom-css/preprocessors/scss.inc.php:4325 (show/hide source)
4305  		$start = microtime(true);
4306  		$css = $this->scss->compile(file_get_contents($in), $in);
4307  		$elapsed = round((microtime(true) - $start), 4);
4308  
4309  		$v = scssc::$VERSION;
4310  		$t = date('r');
4311  		$css = "/* compiled by scssphp $v on $t (${elapsed}s) */\n\n" . $css;
4312  
4313  		file_put_contents($out, $css);
4314  		file_put_contents($this->importsCacheName($out),
4315  			serialize($this->scss->getParsedFiles()));
4316  		return $css;
4317  	}
4318  
4319  	/**
4320  	 * Compile requested scss and serve css.  Outputs HTTP response.
4321  	 *
4322  	 * @param string $salt Prefix a string to the filename for creating the cache name hash
4323  	 */
4324  	public function serve($salt = '') {
4325 if ($input = $this->findInput()) {
4326 $output = $this->cacheName($salt . $input); 4327 header('Content-type: text/css');