Igor Kromin |   Consultant. Coder. Blogger. Tinkerer. Gamer.

This is a description of a vulnerability I found in the SEO Metatag Info Plugin for FlatPress that allows an attacker to fill up the target web servers disk by issuing repetitive GET requests in a specific format. The download link to the plugin has now been removed from the user contributed plugin list.

I recommend disabling this plugin if you are using it and as an alternative, I've provided a quick-fix solution that will generate meta tags automatically based on the content of an entry. That solution can be found here.

This CVE is registered with cve.mitre.org, the CVE page is located here (may not be available yet).

The vulnerability is exposed if the SEO Metatag Info Plugin is installed and enabled. This plugin attempts to generate meta tag info for all requests coming into FlatPress. This includes requests for 'categories'. FlatPress provides functionality for defining categories, unfortunately the SEO Metatag Info Plugin does not restrict it's functionality to the list of these pre-defined categories.

When a request is issued for a category that's not been previously defined, the SEO Metatag Info Plugin will write an .ini file that describes that category's metadata. In the case of an undefined category this always writes a 94 byte file with default contents to the fp-content/content/seometa/categories directory. The name of the requested category is included in the file.

For example, requesting the 'test1', 'test2', 'test3', 'test4', 'test5' categories results in the following files being written to disk:
CVE-2015-4399.png


These requests are made by generating URLs in the following format:
 Test URLs
http://<server>/?cat=<category_name>


Here category_name can be substituted for any string value and the plugin will take that string and will write a file in the following format:
 Generated files
fp-content/content/seometa/categories/cat-<category_name>_metatags.ini


Although each file is quite small, repetitive requests to a vulnerable system can generate an indefinite number of files. If the web server limits quotas using inodes, this can quickly consume all of the available inodes.



-i

Have comments or feedback on what I wrote? Please share them below! Found this useful? Consider sending me a small tip.
comments powered by Disqus
Other posts you may like...
Hi! You can search my blog here ⤵
Or browse the recent top tags...

Recent Blog Posts

How to fix Google Cloud SDK dev server error - No module named ipaddr

Adorable but totally metal - Metal Earth 3D Guardians of the Galaxy Groot model kit

Riverside Expressway Cam shut down permanently

Inserting Google DFP ads with Backbone, Underscore and jQuery

How to resolve the domain is already mapped to a project error in Google App Engine

A quick look at the Nyko Super MiniBoss wireless controllers for the SNES mini

Loading and displaying a collection from bootstrapped data in Backbone.js

Add this handy function to your Bash profile file to display the compiled JDK version for a .class file

How does PCBWay stack up as a low budget PCB fab

Resolving the Cannot reference X before supertype constructor is called compiler error in Java

Recent Galleries

BMB-012 Nanoblock T-Rex Skeleton Model assembly

Tiny Arcade revision 6 kit assembly and decal application

Atari Lynx repair - Part 5 - McWill LED screen mod installation

Atari Lynx repair - Part 4 - screen cover replacement

Atari Lynx repair - Part 2 - re-capping the motherboard

Atari Lynx repair - Part 3 - broken speaker replacement

Atari Lynx repair - Part 1 - introduction and case disassembly

Building a custom Atari Lynx game box storage shelf unit in a day

Protecting old Atari Lynx game boxes with snug fit plastic sleeves

Monument Valley 2 is released and does not disappoint

Blogs and Friends

Matt Moores Blog
Georgi's FlatPress Guide
Perplexing Permutations
The Security Sleuth
Ilia Rogatchevski
Travelling Fairy

Blog Activity

Blog Activity