Project: Wordpress Plugin Jetpack by WordPress.com 6.6.1

Vulnerability: #9217808 (2018-10-30 09:10:13)

Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink Standard::filemtime
Risk _GET
/jetpack/modules/custom-css/custom-css/preprocessors/scss.inc.php:4225 (show/hide source)
4205  	/**
4206  	 * Join path components
4207  	 *
4208  	 * @param string $left  Path component, left of the directory separator
4209  	 * @param string $right Path component, right of the directory separator
4210  	 *
4211  	 * @return string
4212  	 */
4213  	protected function join($left, $right) {
4214  		return rtrim($left, '/\\') . DIRECTORY_SEPARATOR . ltrim($right, '/\\');
4215  	}
4216  
4217  	/**
4218  	 * Get name of requested .scss file
4219  	 *
4220  	 * @return string|null
4221  	 */
4222  	protected function inputName() {
4223  		switch (true) {
4224  			case isset($_GET['p']):
4225 return $_GET['p'];
4226 case isset($_SERVER['PATH_INFO']): 4227 return $_SERVER['PATH_INFO'];
Threat level 1

Callstack:

scss_server::needsCompile /jetpack/modules/custom-css/custom-css/preprocessors/scss.inc.php:4283 (show/hide source)
4263  	 * Get path to cached imports
4264  	 *
4265  	 * @return string
4266  	 */
4267  	protected function importsCacheName($out) {
4268  		return $out . '.imports';
4269  	}
4270  
4271  	/**
4272  	 * Determine whether .scss file needs to be re-compiled.
4273  	 *
4274  	 * @param string $in  Input path
4275  	 * @param string $out Output path
4276  	 *
4277  	 * @return boolean True if compile required.
4278  	 */
4279  	protected function needsCompile($in, $out) {
4280  		if (!is_file($out)) return true;
4281  
4282  		$mtime = filemtime($out);
4283 if (filemtime($in) > $mtime) return true;
4284 4285 // look for modified imports
scss_server::serve /jetpack/modules/custom-css/custom-css/preprocessors/scss.inc.php:4329 (show/hide source)
4309  		$v = scssc::$VERSION;
4310  		$t = date('r');
4311  		$css = "/* compiled by scssphp $v on $t (${elapsed}s) */\n\n" . $css;
4312  
4313  		file_put_contents($out, $css);
4314  		file_put_contents($this->importsCacheName($out),
4315  			serialize($this->scss->getParsedFiles()));
4316  		return $css;
4317  	}
4318  
4319  	/**
4320  	 * Compile requested scss and serve css.  Outputs HTTP response.
4321  	 *
4322  	 * @param string $salt Prefix a string to the filename for creating the cache name hash
4323  	 */
4324  	public function serve($salt = '') {
4325  		if ($input = $this->findInput()) {
4326  			$output = $this->cacheName($salt . $input);
4327  			header('Content-type: text/css');
4328  
4329 if ($this->needsCompile($input, $output)) {
4330 try { 4331 echo $this->compile($input, $output);