The dynamic configuration feature in Xinha WYSIWYG editor 0.96 Beta 2 and earlier, as used in Serendipity 1.5.2 and earlier, allows remote attackers to bypass intended access restrictions and modify the configuration of arbitrary plugins via (1) crafted backend_config_secret_key_location and backend_config_hash parameters that are used in a SHA1 hash of a shared secret that can be known or externally influenced, which are not properly handled by the Deprecated config passing feature; or (2) crafted backend_data and backend_data[key_location] variables, which are not properly handled by the xinha_read_passed_data function. NOTE: this can be leveraged to upload and possibly execute arbitrary files via config.inc.php in the ImageManager plugin.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Wysiwyg_editor | Xinha | 0.9-beta (including) | 0.9-beta (including) |
| Wysiwyg_editor | Xinha | 0.91-beta (including) | 0.91-beta (including) |
| Wysiwyg_editor | Xinha | 0.92-beta (including) | 0.92-beta (including) |
| Wysiwyg_editor | Xinha | 0.93 (including) | 0.93 (including) |
| Wysiwyg_editor | Xinha | 0.94 (including) | 0.94 (including) |
| Wysiwyg_editor | Xinha | 0.95 (including) | 0.95 (including) |
| Wysiwyg_editor | Xinha | 0.96-beta (including) | 0.96-beta (including) |
| Wysiwyg_editor | Xinha | 0.96-beta2 (including) | 0.96-beta2 (including) |