Igor's Blog
Programming, DIY, Games, Hacks, and Tech

This is a description of a vulnerability I found in the SEO Metatag Info Plugin for FlatPress that allows an attacker to fill up the target web servers disk by issuing repetitive GET requests in a specific format. The download link to the plugin has now been removed from the user contributed plugin list.

I recommend disabling this plugin if you are using it and as an alternative, I've provided a quick-fix solution that will generate meta tags automatically based on the content of an entry. That solution can be found here.

This CVE is registered with cve.mitre.org, the CVE page is located here (may not be available yet).

The vulnerability is exposed if the SEO Metatag Info Plugin is installed and enabled. This plugin attempts to generate meta tag info for all requests coming into FlatPress. This includes requests for 'categories'. FlatPress provides functionality for defining categories, unfortunately the SEO Metatag Info Plugin does not restrict it's functionality to the list of these pre-defined categories.

When a request is issued for a category that's not been previously defined, the SEO Metatag Info Plugin will write an .ini file that describes that category's metadata. In the case of an undefined category this always writes a 94 byte file with default contents to the fp-content/content/seometa/categories directory. The name of the requested category is included in the file.

For example, requesting the 'test1', 'test2', 'test3', 'test4', 'test5' categories results in the following files being written to disk:
CVE-2015-4399.png


These requests are made by generating URLs in the following format:
 Test URLs
http://<server>/?cat=<category_name>


Here category_name can be substituted for any string value and the plugin will take that string and will write a file in the following format:
 Generated files
fp-content/content/seometa/categories/cat-<category_name>_metatags.ini


Although each file is quite small, repetitive requests to a vulnerable system can generate an indefinite number of files. If the web server limits quotas using inodes, this can quickly consume all of the available inodes.



-i

comments powered by Disqus
Other posts you may like...

Recent Blog Posts

A hack to create an uber jar with the Maven Shade Plugin using local jar files

Is it worth it? Apple USB-C Digital Multi AV adapter vs a cheap eBay clone

Running X11 graphical applications after changing to another user using 'sudo su'

How to stop Facebook using ad images as post sharing thumbnails

Picking lists for Atari Lynx capacitor replacement kits

Performance - 2012 Retina MacBook Pro vs 2017 MacBook Pro

Look and feel - 2012 Retina MacBook Pro vs 2017 MacBook Pro

Using math to work out the diameter of hard to reach water cooling pipes

How to get the unreachable shard in the Hinterlands in DragonAge Inquisition

Measy RC12 wireless 2.4Ghz keyboard touchpad review

Recent Galleries

Monument Valley 2 is released and does not disappoint

Space Food - Chocolate Ice Cream with Chocolate Chips

Legeod Star Wars AT-DP kit

DIY spare parts computer build with a RAIDMAX Anura case

Fake 'Lepin' brand Lego packaging

Hardwood garden bench with clear resin void filler

Fixing a 3D printer extruder that stopped heating up

Easily increase disk space in a Lenovo Ideapad 100S 14" laptop with an M.2 SSD

Making a multi-piece 3D printed solder spool holder stand

DIY indoor apartment grow light wiring

My Other Web Sites

Igor and Elise's Travels
Riverside Expressway Cam
300 George St Blogumentary

My Online Tools

UUID to OID Converter
Guru JSON-RPC Tester
Extrudifier Object Designer
Travel ┬ÁBlog

Blogs and Friends

Matt Moores Blog
Georgi's FlatPress Guide
Perplexing Permutations
The Security Sleuth
Ilia Rogatchevski
Travelling Fairy

Blog Activity

Blog Activity
Don't forget to
me for more great articles!
Don't show this again