The code now uses get_defined_functions to avoid calling the internal functions mentioned above.However, there is still no whitelist of valid functions for the Textpattern parser to call: all user-defined The file uploader, which is accessible to all authenticated users except for freelancers, does not perform filtering on the extensions of uploaded files.
This attack made it possible to grab the contents of the Textpattern config file, /etc/passwd, etc.
In response to my report, the Textpattern developers released a new version of the software, 4.4.0, which contained fixes for almost all of the vulnerabilities.
One outstanding vulnerability has been patched in tags can be disabled on a per-site basis, other vulnerabilities (#3 / #4 on this list) allowed that protection to be bypassed. In researching this vulnerability, I discovered that it had existed since the first version of Textpattern was released.
Textpattern does not make use of stored procedures and prepared statements due to the age of its codebase; instead, it uses string concatenation combined with manual escaping.
There were several places in the code where , the username of the currently logged in user, was not properly escaped. There were several locations in the code where actions were taken in the application based on requests should be idempotent to prevent unintended submissions that alter the application.