Project: Wordpress Plugin Jetpack by WordPress.com 6.6.1

Vulnerability: #9217809 (2018-10-30 09:10:14)

Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink Standard::is_file
Risk _GET
/jetpack/modules/custom-css/custom-css/preprocessors/scss.inc.php:4225 (show/hide source)
4205  	/**
4206  	 * Join path components
4207  	 *
4208  	 * @param string $left  Path component, left of the directory separator
4209  	 * @param string $right Path component, right of the directory separator
4210  	 *
4211  	 * @return string
4212  	 */
4213  	protected function join($left, $right) {
4214  		return rtrim($left, '/\\') . DIRECTORY_SEPARATOR . ltrim($right, '/\\');
4215  	}
4216  
4217  	/**
4218  	 * Get name of requested .scss file
4219  	 *
4220  	 * @return string|null
4221  	 */
4222  	protected function inputName() {
4223  		switch (true) {
4224  			case isset($_GET['p']):
4225 return $_GET['p'];
4226 case isset($_SERVER['PATH_INFO']): 4227 return $_SERVER['PATH_INFO'];
Threat level 1

Callstack:

scss_server::findInput /jetpack/modules/custom-css/custom-css/preprocessors/scss.inc.php:4245 (show/hide source)
4225  				return $_GET['p'];
4226  			case isset($_SERVER['PATH_INFO']):
4227  				return $_SERVER['PATH_INFO'];
4228  			case isset($_SERVER['DOCUMENT_URI']):
4229  				return substr($_SERVER['DOCUMENT_URI'], strlen($_SERVER['SCRIPT_NAME']));
4230  		}
4231  	}
4232  
4233  	/**
4234  	 * Get path to requested .scss file
4235  	 *
4236  	 * @return string
4237  	 */
4238  	protected function findInput() {
4239  		if (($input = $this->inputName())
4240  			&& strpos($input, '..') === false
4241  			&& substr($input, -5) === '.scss'
4242  		) {
4243  			$name = $this->join($this->dir, $input);
4244  
4245 if (is_file($name) && is_readable($name)) {
4246 return $name; 4247 }